Automation Workflows Litiao
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Connected services may let the automation read or modify data in tools such as forms, spreadsheets, CRMs, email systems, and project-management apps.
The skill expects users to connect third-party accounts to automation platforms. This is purpose-aligned, but OAuth grants can allow changes in connected business tools.
Connect your account (authenticate via OAuth)
Grant the minimum necessary permissions, review OAuth scopes carefully, and revoke access for unused automations.
Personal or business data submitted through one tool could be copied into multiple other tools and notifications.
The example workflow moves lead/customer data across several third-party services. This is expected for automation, but it creates data-sharing boundaries the user should review.
Add lead to CRM ... Send welcome email ... Create task in ... Notion ... Send me a Slack notification: "New lead: [Name]"
Use only approved services for customer data, avoid unnecessary fields in notifications, and test with safe sample data before sending real customer information through the full workflow.
A workflow can keep acting on future triggers, potentially sending messages, creating records, or syncing data after the initial setup session.
The skill guides users to enable workflows that continue running after setup. This persistence is disclosed and central to the purpose, but it should be monitored.
Turn on workflow (Zapier calls this "turn on Zap")
Start with narrow triggers, add error notifications, periodically audit enabled workflows, and keep a clear disable/rollback plan.
It may be harder to confirm whether this is the exact package/version the registry claims.
The packaged metadata differs from the supplied registry metadata, which lists a different owner, slug, and version. With no code or installer present, this is a provenance consistency note rather than evidence of harmful behavior.
"ownerId": "kn732qfbv22he1jqm63xbwq6e980kn8s", "slug": "automation-workflows", "version": "0.1.0"
Verify the publisher and registry listing if provenance matters, especially before relying on it for business-critical automation guidance.