Agent Workflow Skill
PassAudited by VirusTotal on May 5, 2026.
Overview
Type: OpenClaw Skill Name: agent-workflow-skill Version: 1.0.0 The skill bundle implements a standard task-planning and execution framework that decomposes user requests into a Directed Acyclic Graph (DAG) for parallel processing. The core logic in core/executor.py and core/planner.py focuses on task orchestration and LLM-based planning, while the tools defined in core/tools.py are harmless stubs that return formatted strings. No evidence of data exfiltration, malicious command execution, or harmful prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or running the demo may require an OpenAI API key and could incur provider usage charges.
The skill reads an OpenAI API key from the environment, while the registry metadata declares no required env vars or primary credential. The use is consistent with the LLM-planning purpose and there is no evidence of credential logging or exfiltration.
client = OpenAI(api_key=os.getenv("OPENAI_API_KEY"))Use a scoped OpenAI key, avoid committing .env files, and treat the missing registry credential declaration as a packaging/documentation issue to verify before use.
Sensitive information included in a task request could be transmitted to the OpenAI API.
User task text is sent to OpenAI to generate the task graph. This external provider flow is disclosed by the README and is central to the skill's purpose, but users should understand that task descriptions leave the local environment.
response = client.chat.completions.create(
model="gpt-4o-mini",Do not include secrets, private credentials, or confidential data in prompts unless you are comfortable sending them to the configured provider.
If extended with real tools, one user request could lead to multiple actions being planned and run.
The skill intentionally instructs the agent to create and execute multi-step workflows, including parallel independent steps. In the provided code the tools are only stub functions, so this is purpose-aligned, but the pattern becomes more sensitive if connected to real mutating tools.
Execute tasks in order 4. Parallelize independent steps
Review generated task graphs and require confirmation before connecting this workflow executor to tools that modify files, accounts, public content, or production systems.
Users may need to manually determine dependencies such as openai and python-dotenv before running the demo.
The README references a requirements.txt dependency file, but the provided file manifest does not include one and the registry has no install spec. This is a packaging/provenance gap, not evidence of malicious behavior.
pip install -r requirements.txt
Verify dependencies before installation and prefer a complete package with pinned requirements.