ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Workflow Note(流程笔记)

v1.2.2

流程构建类笔记的写作规范与模板。当需要为 workflows/ 分类撰写新笔记时使用。覆盖:文章结构、内容要求、质量标准、发布流程。note-taking 定义全局规范(目录结构、命名、语言),本技能定义 workflows/ 分类的具体写作模板。

0· 49·0 current·0 all-time
byTino Chen@tino-chen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the actual content: this is a note-writing template for workflows/. It declares no binaries, env vars, or installs and the files are templates/examples — these are proportionate to a documentation/template skill.
!
Instruction Scope
The SKILL.md explicitly instructs the agent to read other files from the user's filesystem (e.g., ~/.openclaw/skills/note-taking/SKILL.md, cron tasks, HEARTBEAT.md, AGENTS.md and 'actual configuration' files) and to include 'complete content' in notes. That behavior can legitimately be needed for producing accurate workflow notes, but it also means the agent may read and embed sensitive or unrelated data. Additionally, the SKILL.md contains unicode-control characters (pre-scan finding) which can be used for prompt-injection or to obscure instructions.
Install Mechanism
No install spec and no code files; this is instruction-only so nothing gets written or executed automatically during installation — low install risk.
!
Credentials
The skill declares no environment variables or credentials, which is appropriate, but the runtime instructions require access to arbitrary config paths and other skills' SKILL.md without declaring them. That implicit file-access requirement is not reflected in requires/configs and can expose sensitive content (secrets, internal addresses) if followed without safeguards.
Persistence & Privilege
always is false and there is no install-time persistence. The skill does instruct reading other skills' files (e.g., the global note-taking SKILL.md), which is a cross-skill read but not an explicit modification or persistent privilege escalation.
Scan Findings in Context
[unicode-control-chars] unexpected: Prompt-injection detector found unicode control characters in SKILL.md. A writing template typically would not include such characters; they can be used to hide/alter instructions or manipulate parsing. Recommend human review of the raw file to confirm intent.
What to consider before installing
This skill is a documentation/template for writing workflow notes and is mostly coherent, but exercise caution before letting an agent follow it autonomously. Pay attention to two things: (1) SKILL.md instructs the agent to read other local files and to include 'complete content' — that can pull secrets or internal addresses into a public note; require a manual preview step or automatic redaction before publishing. (2) The SKILL.md contains unicode control characters (prompt-injection signal) — open the file in a hex-capable editor or view raw to check for hidden characters and remove them if accidental or malicious. If you want to use this skill safely: run it with model invocation disabled or require explicit user confirmation before any file reads or before inserting file contents into output; restrict its working directory or run it in a sandbox; and ensure it filters/removes API keys, passwords, tokens, and internal hostnames from any included files. My confidence is medium — if you can confirm the unicode-control chars are benign and that the skill enforces redaction of sensitive fields (or you add a manual-review requirement), the risk would drop.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bmeysv2jtbf09z6e9ammfe984bbr4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments