ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MCP Workflow

v1.0.0

Workflow automation using MCP (Model Context Protocol) patterns inspired by Jason Zhou

1· 877·6 current·6 all-time
by@slemo54
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to provide MCP workflow automation (prompt chains, resource embedding, cross-server orchestration) and the included server/script files implement those capabilities. However there are incoherences: SKILL.md and templates reference integrations (e.g., 'config://', 'notion', 'email', 'git://', 'github://', 'linear://') that the server and shell script do not fully implement, and the metadata declares no required binaries even though the runtime clearly needs node and jq. These gaps make it unclear which features are actually supported and why certain resource types are listed.
!
Instruction Scope
Runtime instructions tell the agent/user to run node scripts/mcp-server.js and the shell workflow engine. The server implements memory://, template:// and file:// resources and the shell script reads and writes local files and a .mcp workspace. The server's file:// handler reads arbitrary file paths without sanitization, meaning workflows or prompts that reference file:// can access any file the agent process can read — this is coherent with 'resource embedding' but is high-risk in practice. Also SKILL.md lists config:// resources and describes config at ~/.openclaw/mcp-workflow.json, but the server's ReadResource handler does not implement config:// reading and the server does not read the ~/.openclaw config as described — a direct mismatch between instructions and code.
Install Mechanism
There is no external install spec or network download; the skill is instruction-plus-local-scripts only. No remote archives or installers are fetched by the skill itself, which reduces supply-chain risk. However the code depends on local runtime binaries (node, jq) that are not declared in the registry metadata.
!
Credentials
The registry lists no required environment variables, but the code reads environment variables (e.g., process.env.WORKFLOWS_DIR and the shell script respects MCP_DIR). The shell script and server will read and write files on disk (templates, workflows, .mcp, .mcp-memory.json), but those file-access patterns are not called out in the registry metadata. The skill does not request cloud credentials, which is appropriate, but the lack of declared runtime requirements (node, jq, file-path access) is an unexplained omission.
Persistence & Privilege
always:false (good). The skill writes local state (memory files like .mcp/.workflow-memory.json and templates/workflows in the working directory) and creates an MCP workspace when initialized. It does not request system-wide configuration changes or claim elevated privileges, but it will persist data to disk within the user's project or current directory and can read arbitrary files via file:// URIs.
What to consider before installing
Before installing or running this skill: - Expect to need Node.js and the jq CLI (the scripts call node and jq, but the registry metadata does not declare them). - Review the two included scripts (scripts/mcp-server.js and scripts/workflow-engine.sh) yourself — they read and write files and will read any path given via file:// URIs. Do not run them against sensitive directories or as root. - The server can return arbitrary local files (file://{path}) to workflows; if you run the skill inside an agent with access to your home or project files, workflows or templates could leak data. Consider running inside a sandbox/container with limited filesystem scope. - The SKILL.md mentions config:// and an OpenClaw config at ~/.openclaw/mcp-workflow.json, but the server code does not implement config:// reads nor automatically load that path — verify configuration behavior matches your expectations before relying on it. - If you need integrations (email, Notion, Git providers) verify whether those are actually implemented or whether templates merely reference them. Don’t provide credentials unless you confirm the code will use them only for the intended integrations. - If you’re unsure, run the code in an isolated environment, or ask the skill author for clarification about required binaries, which resource types are implemented, and where the skill will read/write data.

Like a lobster shell, security has layers — review code before you run it.

latestvk97952gytcpsdvbbar9vzbsb4x81h88s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments