ClawHub

Auto Workflow Builder

v1.0.0

Create and manage automated workflows visually with drag-and-drop triggers, actions, conditions, and 100+ integrations without coding.

0· 781·6 current·6 all-time
by@sunshine-del-ux
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The description promises a visual, no-code workflow builder with 100+ integrations (AWS Lambda, email/SMS, DB operations, Slack/Discord). However, the package contains no code, no installer, and no integration credentials. The SKILL.md shows only CLI examples calling ./workflow.sh, which is missing. Requesting broad capabilities without shipped code or declared credentials is disproportionate and incoherent.
!
Instruction Scope
Runtime instructions tell an agent or user to run ./workflow.sh create/add-trigger/run, and describe triggers (file changes, DB changes) and actions that imply filesystem, network, and credential access. The SKILL.md is vague about where the script comes from, how credentials are provided, and what data might be transmitted — giving the agent broad, unspecified discretion. That ambiguity increases risk.
!
Install Mechanism
There is no install spec and no code files — normally low risk — but the instructions assume a local executable and Node.js 18+. The absence of any install instructions or sources for workflow.sh is a red flag: the skill expects runtime artifacts that are not present, creating ambiguity about what would be installed or executed.
!
Credentials
The skill claims integrations (AWS Lambda, databases, email/SMS, Slack) that typically require API keys, tokens, or connection strings, yet requires no environment variables or credentials in metadata. This mismatch suggests either missing declarations or an expectation that credentials will be supplied in unspecified ways (prompts, config files, or environment), which is disproportionate and risky.
Persistence & Privilege
The skill does not request persistent privileges (always: false) and does not declare modifications to other skills or system-wide settings. Autonomous model invocation is enabled by default which is normal — it is not by itself a new concern here.
Scan Findings in Context
[no_code_files] unexpected: The static scanner found no code to analyze. For a skill whose README invokes a local script (./workflow.sh) and requires Node.js, the absence of any code or install steps is unexpected and not consistent with the described functionality.
What to consider before installing
Do not install or run this skill as-is. Ask the author for: (1) the source repository or homepage and verifiable release artifacts, (2) an install script or packaged binary for ./workflow.sh, (3) an explicit list of required environment variables/credentials and where they are stored, and (4) the exact network endpoints the workflows will contact. If you must evaluate it, inspect the code before running, run it in an isolated/test environment (air-gapped or container) and avoid supplying real production credentials until you confirm the implementation. If the author provides a public repo and clear install instructions that explain where workflow.sh comes from and what credentials are needed, re-evaluation could move this toward benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk978d93jxyxa1f0v188yvtks3s829899

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments