workflow-automation
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill is very vague, asks for an undeclared API key, and points to a Python script that is not included in the package.
Review this skill before installing or using it. Ask the publisher to include the referenced Python script, declare the required credential, and explain exactly what service the API key belongs to and what actions the automation can perform.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could provide a sensitive automation credential without understanding what account or actions it authorizes.
The skill requests an API key but does not identify the provider, required permissions, how the key will be used, or safe scoping. The supplied metadata also declares no required env vars or primary credential.
Set required environment variables: export AUTOMATION_API_KEY="your-api-key"
Do not provide an API key until the skill clearly documents the service, minimum required scopes, how the key is stored and used, and declares the credential in metadata.
The skill may not work as installed, or a user/agent might end up running an unrelated local script with the same path/name.
The central usage command references a helper script, but the supplied package is instruction-only with only SKILL.md present. That creates a provenance gap for the code the user or agent would actually run.
python3 scripts/workflow_automation.py --input <input> --output <output>
Require the package to include the referenced script or remove the command. Review any external script before running it, especially if it will receive an API key.