Workflow Orchestrator

ReviewAudited by ClawScan on May 10, 2026.

Overview

This is a disclosed workflow runner, but it can run broad local commands hands-free and its rollback behavior only logs instead of undoing actions.

Install only if you trust the workflows you will run. Review every command, start with validate and --dry-run, avoid storing secrets in step output, and do not treat rollback as a real undo mechanism unless explicit reversal steps are present.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI02: Tool Misuse and Exploitation

What this means

A trusted workflow can automate useful tasks, but an unsafe or mistaken workflow could run local programs that modify files, install or deploy skills, or interact with accounts using the user's existing permissions.

Why it was flagged

Workflow files supply command strings that the skill executes locally. Although it uses shell=False and metacharacter blocking, the visible code does not restrict commands to a safe allowlist or require confirmation before running each step.

Skill content

command = substitute_vars(step.get("command", ""), variables) ... result = subprocess.run(cmd_parts, shell=False, capture_output=True, text=True, timeout=timeout)

Recommendation

Run only trusted workflow files, use validate and --dry-run first, and add allowlists or explicit approval gates for destructive or account-changing steps.

Medium

#ASI08: Cascading Failures

What this means

If a deployment, install, or maintenance workflow partially succeeds and then fails, prior changes may remain in place even though the workflow reports rollback activity.

Why it was flagged

When rollback is requested, the implementation only prints rollback messages for completed steps rather than executing compensating actions.

Skill content

# Rollback is conceptual — log it for the audit trail ... print(f"  ROLLBACK [{cs.get('name', '?')}]")

Recommendation

Do not rely on rollback as an undo mechanism unless the workflow defines explicit reversal commands; the skill should document this limitation or implement real rollback steps.

Low

#ASI06: Memory and Context Poisoning

What this means

Sensitive stdout or untrusted tool output can influence later workflow behavior or be passed to later commands during the same run.

Why it was flagged

A step's stdout can be saved into workflow variables and then substituted into later commands or conditions.

Skill content

if save_output:
    variables[save_output] = result.stdout.strip()
... command = substitute_vars(step.get("command", ""), variables)

Recommendation

Avoid saving secrets as step output, and treat saved outputs as untrusted unless the producing command is trusted and the later use is tightly scoped.