FlowForge Workflow Engine
Security checks across static analysis, malware telemetry, and agentic risk
Overview
FlowForge is a coherent workflow runner, but it lets workflow files drive agents and sub-agents to completion, including potentially high-impact steps, without clear built-in approval boundaries.
Before installing, verify the external FlowForge CLI package, run only workflows you trust, and add explicit approval gates before steps that push code, create PRs, deploy, delete data, or publish anything. Expect workflow state and summaries to persist locally.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A workflow file could cause the agent to follow instructions the user did not clearly approve.
Workflow YAML task text is made authoritative for the agent. If a workflow file is broader than the user intended or comes from an untrusted workspace, it can steer the agent's goals without an explicit trust check.
The agent executing the workflow uses this text as instructions.
Run only trusted workflows, review YAML before use, and add explicit approval steps for sensitive or account-changing actions.
The agent could push code or create public/account-visible changes if the user runs such a workflow with existing GitHub access.
An included workflow example contains account- and repository-mutating actions. Under the skill's run-to-completion model, such steps may be executed as normal workflow progress without a separate approval gate.
Create a pull request: ... Push branch to fork/origin ... Create PR via GitHub UI or gh CLI
Require user confirmation before pushing branches, creating pull requests, deploying, deleting, or posting public content.
Sub-agents may receive and act on workflow task details, potentially with similar access to tools or project context.
The skill deliberately delegates workflow tasks to sub-agents. This is purpose-aligned, but the artifacts do not define separate permission, context, or data-sharing boundaries for those sub-agents.
MUST spawn a sub-agent: sessions_spawn( task: action.task, mode: "run", label: "flowforge-<workflow>-<node>" )
Use sub-agent workflow nodes only for trusted tasks and avoid passing secrets or sensitive data unless the sub-agent boundary is understood.
Installing the external CLI gives that npm package code execution on the user's machine.
The skill depends on an external global npm CLI that is not included in the scanned artifacts. This is disclosed and central to the purpose, but it is still a provenance and versioning point users should verify.
npm install -g @kagura-agent/flowforge
Verify the npm package publisher/source, consider pinning a known-good version, and install only in environments where you trust the package.
Workflow results or summaries may remain available after the session ends.
The skill intentionally persists workflow state and asks for results to be logged. This is disclosed, but persisted summaries can contain sensitive task details.
State persists. Workflows survive session restarts. Use `flowforge active` to resume. - Post-run: Record results in your daily log.
Avoid logging secrets, review the local FlowForge database and daily log locations, and clear persisted workflow state when appropriate.