Automation Workflows Moss
PassAudited by ClawScan on May 1, 2026.
Overview
The artifacts show a coherent instruction-only automation guide with no code, but users should review connected-account permissions, cross-tool data sharing, and the metadata mismatch before enabling workflows.
This skill appears safe as an instruction-only automation playbook. Before using it for live workflows, verify the publisher/version, connect only the accounts needed, limit OAuth scopes, test with non-production or draft data when possible, review every field that will be copied between tools, and make sure each automation has error alerts and an easy way to turn it off.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Connected automations may be able to read or update data in the accounts the user authorizes.
The skill tells users to authorize third-party automation tools. This is expected for Zapier/Make/n8n workflows, but it grants delegated access to business accounts.
Connect your account (authenticate via OAuth)
Use least-privilege account connections where possible, review OAuth scopes, and revoke access for unused automations.
A misconfigured automation could create incorrect records, send unintended messages, or notify the wrong channel.
The example workflow intentionally chains actions across multiple services, so one bad trigger or field mapping could propagate errors across business systems.
Step 1: Add lead to CRM ... Step 2: Send welcome email ... Step 3: Create task ... Step 4: Send me a Slack notification
Test in drafts or sandbox accounts when possible, add filters and deduplication, and confirm behavior before turning workflows on.
Lead, customer, or business data may be copied into multiple third-party tools and workspaces.
The skill recommends moving business data between external providers. This is aligned with automation, but users should be deliberate about which data fields are shared.
Sync data between tools (CRM ↔ email tool ↔ spreadsheet)
Map only necessary fields, avoid sending sensitive details to broad notification channels, and check each provider's privacy and retention settings.
It may be harder to confirm the exact publisher and version lineage of the skill.
The bundled metadata differs from the supplied registry metadata, which lists a different owner ID, slug, and version. Because the skill is instruction-only and has no install code, this is a provenance note rather than evidence of harmful behavior.
"ownerId": "kn732qfbv22he1jqm63xbwq6e980kn8s", "slug": "automation-workflows", "version": "0.1.0"
Confirm the registry listing and publisher before relying on updates or installing in a sensitive workspace.