ClawHub

FlowForge

Security checks across malware telemetry and agentic risk

Overview

FlowForge is a coherent workflow runner, but it persistently broadens its own activation rules and can execute local workflow instructions that include file changes and PR publication without clear approval gates.

Install only if you trust the FlowForge CLI and will review workflow YAML before running it. Require explicit approval before the agent edits SKILL.md triggers, writes workflow files, records results to memory/logs, modifies repositories, pushes branches, creates PRs, or runs workflows from project/home directories. Back up ~/.flowforge before using reset commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to self-modify both the workflow mapping table and the YAML frontmatter description to expand future trigger phrases. This changes the skill's activation surface over time in a way unrelated to the core task of executing workflows, creating a persistence and prompt-scope escalation risk where the skill can become increasingly broadly auto-invoked without user review.

Context-Inappropriate Capability

Low
Confidence
83% confidence
Finding
The post-run rule directs the agent to write workflow outcomes into a memory or log system outside the immediate workflow execution scope. This can cause unintended persistence of potentially sensitive task data without clear user consent or limits on what gets recorded.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The description includes the broad trigger phrase "step by step," which is common in benign user requests and can cause the skill to activate when the user is not asking for FlowForge specifically. Unintended activation increases the chance that the agent starts using persistent workflow state, CLI actions, or file-writing behaviors in contexts where they were not expected.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill tells the agent to draft and save YAML workflow files into the workspace or workflows directory without warning that this modifies user files. That can lead to unauthorized changes to the user's environment, accidental overwrites, or creation of executable workflow definitions that persist beyond the current session.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The instruction to write results to workspace memory or logs lacks a user-facing warning or consent step. Even if intended for convenience, it can silently persist sensitive data or task history in locations the user did not expect.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The workflow description is broad enough that an agent may invoke it for many loosely related coding requests, even when the user did not explicitly intend repository modification or contribution actions. Because the workflow later includes implementation, testing, pushing branches, and creating pull requests, ambiguous activation scope can cause unnecessary or unauthorized code changes in a real environment.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow directs the agent to write code, modify files, push a branch, and create a pull request, but it does not warn that these are state-changing actions requiring explicit user authorization. In an agentic environment, missing warnings and consent gates can lead to unintended code changes, external publication of work, or submission of artifacts to remote repositories without the user's informed approval.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide documents a destructive reset command that deletes FlowForge state, but it does so without an explicit warning that this irreversibly removes workflow history and local state. In an agent-oriented setup guide, users may copy commands verbatim, so omission of a data-loss warning creates a real safety issue even if the command is narrowly scoped to `~/.flowforge`.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal