Back to skill

Security audit

Agent Workflow

Security checks across malware telemetry and agentic risk

Overview

This workflow plugin appears purpose-aligned and local-only, with some documentation ambiguities users should notice before approving cleanup or delegation steps.

Before installing, be comfortable with a plugin that stores workflow state locally under the OpenClaw workspace and guides agents through planning, subagent delegation, reviews, and delivery. Pay close attention to any cleanup prompt: only approve deletion when the listed files are clearly temporary workflow artifacts. For subagent use, avoid forwarding secrets or unnecessary private context.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The skill gives conflicting instructions for Option 2: it says to keep the working copy until review is complete, then separately says to clean up the workspace in Step 5, while later sections state cleanup is only for Options 1 and 4. This ambiguity can cause an agent to delete review-related artifacts too early or behave inconsistently across runs, risking loss of work and incorrect delivery handling.

Intent-Code Divergence

Low
Confidence
96% confidence
Finding
The 'Always' section says to clean up workspace for Options 1 and 4 only, but earlier instructions indicate Option 2 also leads to workspace cleanup. This inconsistency weakens guardrails around destructive actions and may lead different agents or implementations to remove files when they should be preserved, or to skip cleanup when it is expected.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill's integration section routes to `agent-workflow:finishing-work`, which is a different skill namespace than the manifested skill `subagent-driven-execution`. This mismatch can cause the agent to invoke an unintended skill or fail open into the wrong workflow, creating confusion in control flow and weakening guarantees about which instructions and trust boundaries actually apply.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The document claims subagents should 'never inherit' session context, but the process explicitly has the main agent answer subagent questions and provide additional context. This contradiction undermines the intended isolation model and can lead to sensitive session information being progressively disclosed to subagents despite the safety claim, increasing the risk of data leakage or scope creep.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill file is declared as `writing-plans`, but the plan header instructs executors to use `agent-workflow:subagent-driven-execution` or `agent-workflow:executing-plans`. This creates an identity and control-flow mismatch that can cause the agent to invoke a different skill chain than the user intended, expanding the trust boundary and enabling unintended behavior through transitive skill execution.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The startup announcement says, "I'm using the writing-plans skill to create the execution plan," while the surrounding skill metadata and repository context identify this as part of an `agent-workflow` plugin. Contradictory identity cues can mislead users, logs, and orchestration layers about which capability is active, making auditability and policy enforcement weaker and potentially allowing misrouted or unauthorized workflow actions.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The documented guarantee for goto() is not upheld: moveToNode() can leave the previously active node still marked active while also marking the target active, and it intentionally leaves prior history entries open. This can corrupt workflow invariants, causing inconsistent state, incorrect progress/accounting, and downstream logic errors if other components assume only one active node and properly closed history records.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill metadata says it should trigger only for concrete, reproducible debugging, but the body expands usage to 'ANY unexpected situation,' which can cause the agent to invoke this workflow far outside its intended scope. That broad activation can override more appropriate skills or force unnecessary diagnostic behavior, leading to misrouting, degraded agent behavior, and reduced reliability of task handling.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger description is extremely broad: it says to apply before claiming any work is complete, correct, or passing, and before wrapping up any task. In an agent system with many skills, this can cause pervasive invocation in routine conversations and ordinary task endings, increasing instruction load and creating opportunities for unintended workflow interference or prompt-priority conflicts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.