ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Flowclaw

v1.1.3

YAML-driven workflow orchestrator for AI agent teams with human-in-the-loop approval gates. Includes optional Notion, n8n, and Discord integrations.

0· 92·0 current·0 all-time
by@vanhuelsing
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required env var (WORKFLOW_EXECUTOR_API_KEY), optional Notion/Discord/n8n envs, scripts, and Python app match the claimed purpose of a workflow executor and integrations. The included files (executor, startup script, n8n workflow, sample YAML workflows) are proportionate to the stated functionality.
Instruction Scope
SKILL.md keeps instructions focused (install deps, copy .env, run the executor, import n8n workflow). It explicitly documents important behaviors and security boundaries (Content-Type checks, auth, local bind default, credential isolation opt-in). Notable items to be aware of: (1) FlowClaw executes user-supplied QA Python scripts (allowed but explicitly unsandboxed), (2) deploy steps may invoke external CLIs (e.g., vercel) which run with the service's environment, and (3) there are operational instructions to run as a system service (LaunchAgent/systemd) which is expected for a long-lived executor.
Install Mechanism
No remote download or opaque installer; this is an instruction-only skill with source included. Dependencies are standard Python packages listed in requirements.txt and the SKILL.md tells the operator to run pip install -r src/requirements.txt. No external URLs or archives are fetched by an automated install spec in the skill metadata.
Credentials
Only a single required env var (WORKFLOW_EXECUTOR_API_KEY) is declared; other tokens (NOTION_API_KEY, DISCORD_BOT_TOKEN, N8N_API_KEY, OPENCLAW_GATEWAY_TOKEN, etc.) are optional and justified by the optional integrations. The README and config explicitly document an opt-in flag (FLOWCLAW_LOAD_OPENCLAW_CONFIG) that, if enabled, will read ~/.openclaw/openclaw.json and thereby expose other OpenClaw credentials — that is an explicit, documented escalation and is off by default.
Persistence & Privilege
The skill is not always-enabled and does not request elevated autonomous platform privileges. It includes startup/service templates and scripts to run as a persistent service (LaunchAgent/systemd), which is normal for this type of component. No attempt to modify other skills' configurations or system-wide agent settings was observed.
Assessment
FlowClaw appears to be what it says: a local workflow executor that wires Notion/n8n/Discord into agent-driven YAML workflows. Before installing or running it in a sensitive environment, consider the following: 1) Review any workflow YAMLs and QA scripts before enabling them — QA scripts are executed as Python and are not sandboxed (they can read the FS and make network calls). 2) Keep the service bound to 127.0.0.1 (the default) and use a strong WORKFLOW_EXECUTOR_API_KEY; if you change HOST to 0.0.0.0, place a reverse proxy + auth in front of it. 3) Do not set FLOWCLAW_LOAD_OPENCLAW_CONFIG=true unless you intend to grant FlowClaw access to all credentials in ~/.openclaw/openclaw.json. 4) If you enable deploy steps that call external CLIs (e.g., vercel), be aware those CLIs run with the process environment and may use credentials available there. 5) Run in an isolated service account or container and review startup/service templates before enabling systemd/LaunchAgent. These are operational risks intrinsic to a workflow orchestrator, not indications of misbehavior by the skill itself.
!
src/n8n-workflow.json:145
Install source points to URL shortener or raw IP.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk9754aaydpjb95q6j89cmtnv0s83waac

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvWORKFLOW_EXECUTOR_API_KEY

Comments