Command Flow
ReviewAudited by ClawScan on May 10, 2026.
Overview
Command Flow is mostly a command-listing helper, but it marks powerful OpenClaw admin, token, scheduler, and message commands as safe while advertising easy execution.
Use this only as a command reference unless the safety labels are improved. Do not rely on green labels for commands that manage devices, tokens, messages, cron jobs, agents, gateways, plugins, or installed skills; require explicit review before running those actions.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent may treat account, token, message, scheduler, or system-management commands as low-risk and run them without the caution those actions deserve.
Device/token management and message management are high-impact actions, but the generated catalog labels them as safe rather than warning or hidden.
slug: 'devices' ... description: 'Device pairing + token management', safety: SAFETY.SAFE ... slug: 'message' ... description: 'Send, read, and manage messages', safety: SAFETY.SAFE
Reclassify high-impact commands as warning or hidden, require per-command confirmation, and show the exact command and impact before any execution or command insertion.
The wording could over-reassure non-technical users and make them trust the green labels more than they should.
The skill makes strong safety assurances, including 'no risk, direct execution,' while the implementation marks powerful platform commands as safe.
# ✅ 已通过自我审核(v1.0.1) ... | 🟢 安全 | 绿色 | 无风险,直接执行 | ... ✅ **二次确认** - 危险操作强制确认,不怕误点
Avoid absolute claims like 'no risk'; describe safety labels as guidance only and clearly disclose that built-in OpenClaw commands may have their own risks.
Common help requests may be routed through this skill's command view and safety labels instead of another built-in help flow.
The skill intentionally claims common help and command-navigation phrases at critical priority, which is purpose-aligned for a command dashboard but broad.
"triggers": ["斜杠命令", "所有命令", "/help", "/commands", ... "下一页", "上一页"], "priority": "critical"
Keep broad triggers only if necessary, and make it clear when the user is viewing Command Flow's catalog rather than official command approval.
If the helper script is run, it will execute a local command and modify a file in the skill directory.
Running this helper executes the local OpenClaw CLI and writes a generated JavaScript file. The command is fixed and purpose-aligned, and no install-time auto-run is shown.
const output = execSync('openclaw --help', { encoding: 'utf8' }); ... fs.writeFileSync(outputPath, code, 'utf8');Run the helper only deliberately, and document that it executes `openclaw --help` and regenerates local command metadata.
That command may fail or run code outside the reviewed package if a local sibling dashboard exists.
The `/skills` command depends on a sibling `skill-dashboard` file that is not included in this skill's manifest, so behavior depends on local external code.
const { showDashboard } = require('../skill-dashboard/dashboard.js'); return await showDashboard(1);Declare the dependency explicitly or include the needed dashboard code within the skill package.