Skillv1.0.0

ClawScan security

Power Automate Monitoring · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 11:03 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's name, token requirement, and read-oriented tooling mostly match its monitoring purpose, but the runtime instructions expose write-capable store tools (start/stop flows, update flags) and contain a contradictory scope statement — this mismatch deserves caution before installing.
Guidance: Before installing: (1) Verify the exact scopes of FLOWSTUDIO_MCP_TOKEN — prefer a read-only token if you only want monitoring. (2) Confirm whether set_store_flow_state and update_store_flow are truly needed; if not, restrict the agent/tool permissions or avoid loading this skill. (3) If you must allow write-capable tokens, require explicit user approval for any action that changes flow state and consider disabling autonomous invocation for this skill. (4) Confirm the FlowStudio homepage and pricing pages are legitimate and that tokens are issued by the expected service. If you can't verify token scopes or the presence of read-only enforcement, treat this skill as higher-risk and proceed with caution.

Review Dimensions

Purpose & Capability: noteName/description target tenant-wide Power Automate monitoring via a FlowStudio MCP cached store. The single declared env var (FLOWSTUDIO_MCP_TOKEN) is consistent with that purpose. No unrelated binaries or installs are requested.
Instruction Scope: concernSKILL.md primarily describes read-only, cached-store monitoring, but the listed tools include set_store_flow_state and update_store_flow (start/stop flows, set monitor/notification rules). That introduces write/runtime-control actions inconsistent with the 'monitor-only' guidance and the initial 'load only for aggregated views' warning. The instructions also ask the agent to use tool discovery (tool_search) and to stop on 403/404 — reasonable — but the presence of write operations increases risk and needs explicit scope limits.
Install Mechanism: okInstruction-only skill with no install spec and no code files — minimal disk/write risk. The regex scanner had nothing to analyze, which is expected for an instruction-only skill.
Credentials: noteOnly FLOWSTUDIO_MCP_TOKEN is required and is the declared primary credential, which aligns with a FlowStudio MCP integration. However, because the skill exposes tools that can modify flows/metadata, you should confirm the token's scope (read-only vs read-write) before granting it — a write-capable token would be disproportionate for a monitoring-only use-case.
Persistence & Privilege: okSkill is not always:true, is user-invocable, and uses default model invocation behavior. It requests no config paths and does not declare writing other skills' configs. Autonomous invocation is allowed by default but not combined with other high-privilege flags here.