Power Automate Governance
ReviewAudited by ClawScan on Apr 30, 2026.
Overview
This instruction-only skill is purpose-aligned for FlowStudio governance, but users should understand it can use a FlowStudio token to persistently update governance metadata and notification settings at scale.
This skill appears coherent for FlowStudio-based Power Automate governance. Before installing, confirm you trust the FlowStudio MCP provider, use a scoped FLOWSTUDIO_MCP_TOKEN, and review any proposed bulk updates to classifications, ownership fields, monitoring flags, or notification email rules.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill can change persistent FlowStudio governance records and notification behavior for flows.
The skill is explicitly designed to call a write-capable governance tool that can change monitoring, classification, owner/support metadata, and notification recipients. This is purpose-aligned and disclosed, but users should notice that it is not read-only.
`update_store_flow` writes governance metadata to the **Flow Studio cache only** ... Settable Fields ... `monitor`, `rule_notify_onfail`, `rule_notify_email`, `businessImpact`, `ownerTeam`, `supportEmail`, `critical`
Review proposed write operations, especially bulk changes and notification recipient updates, before allowing them to be applied.
Anyone or any agent process with access to the token may be able to read or update FlowStudio governance information according to the token's permissions.
The skill requires a FlowStudio MCP token. The credential requirement is declared and purpose-aligned, but the token likely represents delegated access to FlowStudio governance data and write tools.
metadata: openclaw: requires: env: - FLOWSTUDIO_MCP_TOKEN ... primaryEnv: FLOWSTUDIO_MCP_TOKEN
Use the least-privileged FlowStudio token available, keep it out of shared logs or prompts, and rotate it if it may have been exposed.
Changes on the FlowStudio MCP side could affect what tools or schemas the agent uses for governance tasks.
The skill depends on external FlowStudio MCP tool discovery and API responses rather than bundled code or pinned local schemas. That is coherent for an MCP-based skill, but it means users rely on the provider-side tool definitions and service behavior.
Discovery: load tool schemas via the meta-tools rather than `tools/list` — call `tool_search` ... If this document disagrees with a real API response, the API wins.
Install only if you trust the FlowStudio MCP provider and periodically review the actual tools exposed to the agent.
Bad or overly sensitive metadata could persist in FlowStudio and influence future governance reviews or expose internal context to users with FlowStudio access.
The skill reads and writes persistent cached governance context. This is intended, but inaccurate or sensitive content placed in those fields may be reused for later audits, classifications, or reports.
`update_store_flow` writes governance metadata to the **Flow Studio cache only** ... fields include `description`, `tags`, `businessJustification`, `businessValue`, `security`
Do not store secrets in governance fields, and periodically review descriptions, tags, security notes, and business justification fields for accuracy.
Flow governance data, classifications, and notification settings may pass through the configured FlowStudio MCP service.
The skill relies on an external MCP service boundary for FlowStudio data and actions. This is disclosed and central to the skill, but users should recognize that governance data is exchanged through that MCP provider.
Govern Power Automate flows and Power Apps at scale using the FlowStudio MCP cached store ... Requires a FlowStudio for Teams or MCP Pro+ subscription
Use this skill only with a trusted FlowStudio MCP endpoint and account, and confirm organizational approval for sending governance metadata through that service.
A mistaken classification, owner assignment, or notification rule could affect many flows' governance records at once.
The skill is intended for at-scale governance workflows across many flows. Bulk metadata or notification mistakes could propagate across multiple FlowStudio records, although the instructions also state these writes affect the FlowStudio cache rather than the live Power Automate flows.
Govern Power Automate flows and Power Apps at scale ... For each flow ... get_store_flow ...
Prefer preview or small-batch reviews before broad updates, and keep a record of changed fields so mistakes can be corrected.