Install untrusted source
Warn
- Finding
- Install source points to URL shortener or raw IP.
Flowclaw
Security checks across static analysis, malware telemetry, and agentic risk
Overview
FlowClaw matches its stated workflow-automation purpose, but it deserves careful review because some integration examples omit API authentication and an opt-in mode can expose broad OpenClaw credentials to a persistent executor.
Install only if you want a persistent local workflow service and are comfortable reviewing its workflows. Keep WORKFLOW_EXECUTOR_API_KEY strong, keep HOST on 127.0.0.1 unless you know how to secure it, add API-key headers to n8n calls, leave FLOWCLAW_LOAD_OPENCLAW_CONFIG disabled by default, and review any workflow YAML or Python QA scripts before enabling automatic triggers.
Static analysis
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A user following this example could create a workflow trigger path without the intended API-key protection, or may be tempted to weaken authentication to make the integration work.
Why it was flagged
This documented n8n node triggers workflow execution, but the example shows no API-key authentication for a high-impact endpoint that can start agent workflows.
Skill content
"url": "http://localhost:8765/workflow/execute", "method": "POST", "authentication": "none"
Recommendation
Require and document an Authorization: Bearer or X-API-Key header for every /workflow/execute call, keep HOST set to 127.0.0.1 unless behind a trusted proxy, and do not disable the workflow executor API key.
What this means
If enabled, a persistent workflow service and its workflows may be able to access more OpenClaw credentials than the user intended.
Why it was flagged
The optional configuration can grant FlowClaw access to a broad local credential store, not just the workflow executor API key.
Skill content
Set this to "true" to also load missing credentials from ~/.openclaw/openclaw.json. Only enable this if you understand that ALL credentials in your OpenClaw config become accessible to FlowClaw.
Recommendation
Leave FLOWCLAW_LOAD_OPENCLAW_CONFIG=false unless absolutely necessary. Prefer passing only the specific gateway token needed, use least-privilege credentials, and protect ~/.openclaw/openclaw.json with strict file permissions.
What this means
An untrusted workflow or QA script could run arbitrary Python with the user's local permissions and environment variables.
Why it was flagged
The skill can run workflow-associated Python scripts. This is expected for a workflow orchestrator, but it means workflow files and scripts are trusted execution inputs.
Skill content
QA scripts are user-authored. FlowClaw validates that they are `.py` files within the workflow directory, but cannot sandbox their runtime behaviour. Only install workflows from sources you trust.
Recommendation
Review workflow YAML and any referenced scripts before running them. Use a virtual environment, consider a separate OS user or sandbox, and avoid exposing unnecessary secrets to the executor process.
What this means
Once started, FlowClaw may continue processing triggers until the service is stopped or disabled.
Why it was flagged
The executor is intended to stay running and respond to triggers over time. This is disclosed and fits the product purpose, but it is still persistent automation.
Skill content
FlowClaw runs as a persistent service and handles the edge cases you'd rather not think about
Recommendation
Start the service only when needed, monitor logs, keep it bound to localhost, and know how to stop or unload the background service.
What this means
Dependency behavior can change over time, and a compromised or incompatible future package version could affect the executor.
Why it was flagged
The setup uses unpinned lower-bound dependency ranges, so future installs may resolve different package versions.
Skill content
flask>=3.0.0 requests>=2.32.0 pyyaml>=6.0 gunicorn>=23.0.0
Recommendation
Install in a virtual environment, use a lockfile or pinned versions with hashes for production, and verify the skill source before running the service.
What this means
Task names, notes, workflow status, or other context may be shared with Notion, n8n, OpenClaw agents, and Discord depending on configuration.
Why it was flagged
The skill intentionally moves task context across multiple services and agents. This is purpose-aligned, but users should understand where task data goes.
Skill content
Connects Notion → n8n → agents, with approval gates ... Reports progress via Discord notifications
Recommendation
Use least-privilege tokens, avoid putting highly sensitive data in workflow tasks, configure only the integrations you need, and verify channel/database destinations before enabling automation.