Back to skill

Security audit

Flowclaw

Security checks across malware telemetry and agentic risk

Overview

FlowClaw appears to be a legitimate workflow orchestrator, but it can trigger agents, scripts, external updates, and deployments with weaker approval enforcement than its description suggests.

Install only if you intend to run a privileged local automation service. Keep it bound to localhost or behind strong network controls, use a dedicated strong API key, restrict n8n and Notion triggers to approved tasks, protect the workflow/scripts directory from untrusted edits, avoid enabling FLOWCLAW_LOAD_OPENCLAW_CONFIG unless needed, and add enforced wait_approval gates before any production deployment or final Done status.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return {"status": "failed", "error": f"QA script not found: {script_path}"}

        try:
            proc = subprocess.run(["python3", str(script_path), url],
                                  capture_output=True, text=True, timeout=60)
            try:
                qa = json.loads(proc.stdout)
Confidence
90% confidence
Finding
proc = subprocess.run(["python3", str(script_path), url], capture_output=True, text=True, timeout=60)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares no explicit permissions while its described and detected capabilities include environment access, file read/write, network access, and shell execution. This creates a transparency and review failure: operators may install or trust the skill without understanding that it can access secrets, modify local state, invoke subprocesses, and expose services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose significantly understates the actual behavior: beyond orchestration, the skill appears to expose an authenticated HTTP API, persist workflow state in SQLite, read local credential files, create Notion objects, and run local subprocesses including deployment-related commands. This mismatch is dangerous because users may grant installation and trust based on a much narrower description, while the real implementation has broad attack surface and could enable credential exposure, unauthorized workflow execution, local command execution, or service exposure.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The README claims both that all API endpoints require authentication and that `/health` requires no auth. Security documentation contradictions are dangerous because operators may incorrectly expose or rely on an endpoint under false assumptions, especially when using the README as the source of truth for deployment and monitoring. In this context, the inconsistency is more concerning because the project is a network service with multiple integrations and explicit security claims.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The header comment states the service binds only to 127.0.0.1, but the script actually allows HOST to be overridden from the environment and only validates characters, not locality. This can lead operators to expose the workflow executor externally by setting HOST=0.0.0.0 or a public interface while relying on misleading security documentation.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This executor can spawn external agents, run local Python QA scripts, and perform deployments, giving workflows substantial code-execution and environment-manipulation power. In a YAML-driven orchestrator that accepts external execution requests, this significantly raises the blast radius if workflow files or authorized callers are compromised.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The workflow comments state that production deployment requires explicit owner approval, but the deploy step executes unconditionally with a production target. In an automation system, comments do not enforce policy, so any task reaching this workflow can trigger a prod deploy even if no approval gate was actually satisfied.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The workflow is described as limited to pre-approved small changes, but the YAML does not validate that the task is pre-approved or that the change falls within an allowed scope before deploying to production. Because task data appears to come from external orchestration inputs, this makes the fastlane path a policy-bypass route that could send unreviewed or oversized changes directly to prod.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The workflow comments state that deployment should occur only after explicit owner approval, but the Phase 6 block immediately updates the task status to "Done" and sends a completion notification that can misrepresent the true deployment state. In a human-in-the-loop release workflow, this state inconsistency can cause operators or downstream automations to treat an unapproved or undeployed change as finalized, weakening the approval gate and increasing the chance of unauthorized or premature production release activity.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The workflow claims it is an end-to-end test where no real agent spawn or deploy will occur, but it still executes `spawn_agent` and `deploy` steps. This mismatch is dangerous because operators may run the workflow under false assumptions, leading to unintended agent execution, environment changes, or deployment to staging/production-adjacent infrastructure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide tells users to enable an automatically triggered n8n workflow that posts new Notion tasks to a local executor, which can then spawn agents and perform downstream deploy/notification actions. Without an explicit warning about this automation boundary, users may activate a pipeline that executes on unreviewed external task content, increasing the risk of unintended actions or misuse of connected integrations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide provides a ready-to-run workflow execution request without warning that it can trigger real workflow actions such as deployments or project modifications. In an orchestration tool, omission of that warning increases the risk of accidental execution against live environments by operators who assume the example is only a dry-run test.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The production checklist recommends enabling the n8n workflow for automatic triggers without a warning about unattended execution. Because this system can launch workflows and integrations automatically, users may enable it before validating approval gates, scope restrictions, and target environment safety.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
src/n8n-workflow.json:145