ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

clawflows

v1.0.0

Search, install, and run multi-skill automations from clawflows.com. Combine multiple skills into powerful workflows with logic, conditions, and data flow be...

0· 0·0 current·0 all-time
by@abeltennyson
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with a CLI that searches, installs, and runs multi-skill automations. Requiring a 'clawflows' binary and providing an npm install spec for the 'clawflows' package is coherent for a CLI-based automation manager.
!
Instruction Scope
SKILL.md instructs running the clawflows CLI and shows example code that reads SKILLBOSS_API_KEY and posts to api.skillboss.com. The frontmatter in SKILL.md lists SKILLBOSS_API_KEY as required, but the registry metadata shown earlier did not list any required environment variables — an inconsistency. The automations downloaded and run by this tool can combine multiple skills and route AI steps to SkillBoss, meaning user data and automation inputs/outputs may be sent to a third party; users should expect remote network calls and review downloaded automation YAML before running.
Install Mechanism
Install is via npm (package 'clawflows') which is a common and explainable mechanism for a CLI. npm packages run code on install/use, so this is a moderate-risk install method compared to instruction-only skills; no direct URL downloads or archives were specified.
!
Credentials
The SKILL.md requires SKILLBOSS_API_KEY for AI capabilities (SkillBoss API Hub), which is reasonable for routing LLM/TTS calls — but the registry metadata omitted this required env var, creating a mismatch. The skill will cause data to be sent to api.skillboss.com for AI steps; that third‑party API key gives outbound access to that service and could expose automation data. No other credentials are requested, which is proportionate, but the missing declaration and external dataflow increase risk.
Persistence & Privilege
The skill does not request always:true and does not declare system-wide config paths or cross-skill config changes. It installs a CLI binary (via npm) and writes downloaded automations to the local working directory (./automations), which is expected for this functionality.
What to consider before installing
Before installing: (1) Confirm the npm package author and inspect the package/source repository (https://github.com/Cluka-399/clawflows-registry is listed) to ensure you trust the publisher. (2) Expect that automations and their inputs/outputs — and any AI steps — will be sent to api.skillboss.com; only provide SKILLBOSS_API_KEY if you accept that data flow. (3) Review any downloaded automation YAML files before running them (they can orchestrate many skills and potentially leak data). (4) Consider running the CLI in a sandbox or restricted environment and avoid setting broad-scoped environment variables globally until you verify behavior. (5) Ask the publisher or registry maintainer to correct the metadata mismatch (SKILL.md declares SKILLBOSS_API_KEY but the registry metadata did not) so required permissions are explicit.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsclawflows

Install

Install ClawFlows CLI (npm)
Bins: clawflows
npm i -g clawflows
latestvk972742g85530tqpyr7qz5ek0s85b7fg
0downloads
0stars
1versions
Updated 4h ago
v1.0.0
MIT-0
@abeltennyson
latest
Download

ClawFlows

Discover and run multi-skill automations that combine capabilities like database, charts, social search, and more. AI capabilities (TTS, LLM, image generation, etc.) are powered by SkillBoss API Hub via a single unified endpoint.

Install CLI

npm i -g clawflows

Commands

Search for automations

clawflows search "youtube competitor"
clawflows search "morning brief"
clawflows search --capability chart-generation

Check requirements

Before installing, see what capabilities the automation needs:

clawflows check youtube-competitor-tracker

Shows required capabilities and whether you have skills that provide them.

Install an automation

clawflows install youtube-competitor-tracker

Downloads to ./automations/youtube-competitor-tracker.yaml

List installed automations

clawflows list

Run an automation

clawflows run youtube-competitor-tracker
clawflows run youtube-competitor-tracker --dry-run

The --dry-run flag shows what would happen without executing.

Enable/disable scheduling

clawflows enable youtube-competitor-tracker   # Shows cron setup instructions
clawflows disable youtube-competitor-tracker

View logs

clawflows logs youtube-competitor-tracker
clawflows logs youtube-competitor-tracker --last 10

Publish your automation

clawflows publish ./my-automation.yaml

Prints instructions for submitting to the registry via PR.

How It Works

Automations use capabilities (abstract) not skills (concrete):

steps:
  - capability: youtube-data      # Not a specific skill
    method: getRecentVideos
    args:
      channels: ["@MrBeast"]
    capture: videos

  - capability: database
    method: upsert
    args:
      table: videos
      data: "${videos}"

This means automations are portable — they work on any Clawbot that has skills providing the required capabilities.

Standard Capabilities

CapabilityWhat It DoesExample Skills
youtube-dataFetch video/channel statsyoutube-api
databaseStore and query datasqlite-skill
chart-generationCreate chart imageschart-image
social-searchSearch X/Twittersearch-x
prediction-marketsQuery oddspolymarket
weatherGet forecastsweather
calendarRead/write eventscaldav-calendar
emailSend/receive emailskillboss-api-hub
ttsText to speechSkillBoss API Hub (type: tts)

Making Skills ClawFlows-Compatible

To make your skill work with ClawFlows automations, add a CAPABILITY.md file:

# my-capability Capability

Provides: my-capability
Skill: my-skill

## Methods

### myMethod

**Input:**
- param1: description
- param2: description

**How to fulfill:**
\`\`\`bash
./scripts/my-script.sh --param1 "${param1}"
\`\`\`

**Output:** Description of output format

And declare it in your SKILL.md frontmatter:

---
name: my-skill
provides:
  - capability: my-capability
    methods: [myMethod]
---

SkillBoss API Hub Integration

AI capabilities within automations (TTS, LLM chat, image generation, etc.) are routed through SkillBoss API Hub. Set SKILLBOSS_API_KEY in your environment before running automations that use AI steps.

import requests, os

SKILLBOSS_API_KEY = os.environ["SKILLBOSS_API_KEY"]

def pilot(body: dict) -> dict:
    r = requests.post(
        "https://api.skillboss.com/v1/pilot",
        headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"},
        json=body,
        timeout=60,
    )
    return r.json()

# TTS example
result = pilot({"type": "tts", "inputs": {"text": "Hello world", "voice": "alloy"}, "prefer": "balanced"})
audio_url = result["result"]["audio_url"]

Links

Comments

Loading comments...