ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Workflow Orchestrator

Chain skills into automated pipelines with conditional logic, error handling, and audit logging. Define workflows in YAML or JSON, then execute them hands-fr...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 959 · 7 current installs · 7 all-time installs
byArcSelf@Trypto1019
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description (workflow orchestration) align with the included Python script and required binary (python3). It legitimately needs to execute local skill scripts (e.g., scanner, gitops, audit) to implement pipelines.
!
Instruction Scope
SKILL.md promises variable substitution including environment variables ({env.VAR_NAME}) and shows commands with JSON payloads, braces, and other shell characters. The implementation explicitly blocks {env.*} substitutions and rejects many shell metacharacters (including '{', '}', '$', '`', '|', ';', etc.) after substitution. This is an inconsistency: the docs suggest richer substitution and shell-like commands, while the runtime forbids them — templates and examples in SKILL.md likely contain characters that will be blocked. The orchestrator can run arbitrary local commands (expected for its purpose) but that capability means workflows must be trusted and reviewed.
Install Mechanism
No install spec; single Python script included. Instruction-only / script bundle is low-install-risk. YAML support depends on PyYAML being present; otherwise only JSON workflows are supported.
!
Credentials
The skill declares no required environment variables (proportional). However, SKILL.md claims environment variable substitution is available while the code deliberately blocks access to {env.*} and also rejects '$' in commands. This mismatch is confusing and could lead operators to assume environment values will be used when they will not (or remain as literal placeholders).
Persistence & Privilege
Does not request persistent/always-on presence and does not modify other skills' config. It runs with the invoking user's privileges when executing commands (normal for an orchestrator), so workflows will have the same local access rights as the user.
What to consider before installing
This skill is plausible for automating local pipelines, but there are important inconsistencies to address before trusting it: (1) The SKILL.md says you can use {env.VAR_NAME}, but the code blocks env substitution — so environment values will not be injected as documented. (2) The script blocks many shell metacharacters (including '{','}','$', '|', ';', etc.), yet examples and templates include JSON blobs and other characters that will likely cause the orchestrator to 'BLOCK' those steps. (3) The orchestrator executes arbitrary local commands and other skill scripts under your user account — review any workflows and the target scripts (~/.openclaw/skills/...) for sensitive file reads or network calls before running. Recommended precautions: run with --dry-run first, inspect and test workflows and templates locally, verify PyYAML behavior if you use YAML workflows, and only point workflows at trusted skill scripts. If you need environment-variable substitution or JSON payloads in commands, either modify the orchestrator to safely support them or avoid using this skill until those mismatches are fixed.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.1.0
Download zip
latestvk973berdnbb4s9tk260xa0hrrd81ax2h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔗 Clawdis
OSmacOS · Linux
Binspython3

SKILL.md

Workflow Orchestrator

Chain skills into automated pipelines. Define a sequence of steps, and the orchestrator runs them in order with conditional logic, error handling, and optional audit logging.

Why This Exists

Agents run multiple skills but manually. Scan a skill, diff against the previous version, deploy if safe, log the result. That's 4 steps, 4 commands, and one missed step means a gap in your process. Workflows automate the sequence and ensure nothing gets skipped.

Commands

Run a workflow from a YAML file

python3 {baseDir}/scripts/orchestrator.py run --workflow workflow.yaml

Run a workflow from JSON

python3 {baseDir}/scripts/orchestrator.py run --workflow workflow.json

Dry run (show steps without executing)

python3 {baseDir}/scripts/orchestrator.py run --workflow workflow.yaml --dry-run

List available workflow templates

python3 {baseDir}/scripts/orchestrator.py templates

Validate a workflow file

python3 {baseDir}/scripts/orchestrator.py validate --workflow workflow.yaml

Workflow Format (YAML)

name: secure-deploy
description: Scan, diff, deploy, and audit a skill update
steps:
  - name: scan
    command: python3 ~/.openclaw/skills/skill-scanner/scripts/scanner.py scan --path {skill_path} --json
    on_fail: abort
    save_output: scan_result

  - name: diff
    command: python3 ~/.openclaw/skills/skill-differ/scripts/differ.py diff {skill_path} {previous_path}
    on_fail: warn

  - name: deploy
    command: python3 ~/.openclaw/skills/skill-gitops/scripts/gitops.py deploy {skill_path}
    condition: scan_result.verdict != "CRITICAL"
    on_fail: rollback

  - name: audit
    command: python3 ~/.openclaw/skills/compliance-audit/scripts/audit.py log --action "skill_deployed" --details '{"skill": "{skill_name}", "scan": "{scan_result.verdict}"}'
    on_fail: warn

Step Options

  • name — Human-readable step name
  • command — Shell command to execute (supports variable substitution)
  • on_fail — What to do if the step fails: abort (stop workflow), warn (log and continue), rollback (undo previous steps), retry (retry up to 3 times)
  • condition — Optional condition to check before running (references saved outputs)
  • save_output — Save stdout to a named variable for use in later steps
  • timeout — Max seconds to wait (default: 60)

Variable Substitution

Use {variable_name} in commands to reference:

  • Workflow-level variables defined in the vars section
  • Saved outputs from previous steps
  • Environment variables with {env.VAR_NAME}

Built-in Templates

The orchestrator ships with these workflow templates:

  1. secure-deploy — Scan → Diff → Deploy → Audit
  2. daily-scan — Scan all installed skills, report findings
  3. pre-install — Scan → Typosquat check → Install → Audit

Example: Secure Deploy Pipeline

name: secure-deploy
vars:
  skill_path: ~/.openclaw/skills/my-skill
  skill_name: my-skill
steps:
  - name: security-scan
    command: python3 ~/.openclaw/skills/skill-scanner/scripts/scanner.py scan --path {skill_path} --json
    save_output: scan
    on_fail: abort
  - name: deploy
    command: echo "Deploying {skill_name}..."
    condition: "CRITICAL not in scan"
    on_fail: abort
  - name: log
    command: python3 ~/.openclaw/skills/compliance-audit/scripts/audit.py log --action workflow_complete --details '{"workflow": "secure-deploy", "skill": "{skill_name}"}'

Tips

  • Start with --dry-run to verify your workflow before executing
  • Use on_fail: abort for security-critical steps
  • Chain with the compliance audit skill for full traceability
  • Keep workflows in version control for reproducibility

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…