ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AWP - Agent Workflow Protocol

v1.0.0

Generate complete Agent Workflow Protocol (AWP) compliant multi-agent workflows from natural language descriptions. Produces workflow.awp.yaml, agent configs...

0· 51·0 current·0 all-time
byShumway@veegee82
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (AWP workflow generator) align with the large set of templates, references, adapters, and example extensions included. Templates for agents, manifests, MCP tools, and platform adapters are expected for a workflow generator. However, some included templates (devops extension infra.run_command, Cloudflare adapter, MCP tool templates) produce code that can perform network calls or shell execution; while reasonable for a workflow generator, these are elevated capabilities that should be justified by the user's intent before executing generated artifacts.
!
Instruction Scope
SKILL.md explicitly supports injecting templates and project-level skills into agents' SYSTEM_PROMPT.md files and includes directives for generating system prompts and preprocessor code. A pre-scan flagged 'system-prompt-override' patterns in SKILL.md. Allowing arbitrary injected text into generated agents' system prompts is a legitimate feature for a generator but is also a powerful prompt-injection vector: malicious or careless templates/skills could override agent constraints, cause exfiltration, or escalate privileges when the generated workflow is later run. Additionally, the top-level allowed-tools list (Read Write Edit Bash Glob Grep) and templates for shell-executing MCP tools mean generated workflows may instruct runtime to read/write files or execute shell commands — behaviors outside mere text generation and requiring explicit review.
Install Mechanism
No install spec is present; the skill is instruction-and-template-only. This minimizes immediate install-time risk because nothing is downloaded or executed automatically during install. The provided template files will be written only if/when the agent follows the generation instructions and writes project files to disk.
Credentials
The skill declares no required environment variables or credentials, which is coherent for a workflow/template generator. Some templates (Cloudflare adapter, external MCP tool placeholders) implicitly expect runtime credentials if the generated workflow is deployed (e.g., Cloudflare API keys), but those are not requested by the skill itself. This is proportionate but means users must not provide unrelated secrets to this skill and should avoid running generated workflows that require cloud credentials without careful review.
Persistence & Privilege
The skill is not marked always:true and does not request persistent platform privileges. It does, however, instruct generated workflows to create files (system prompts, agent code, MCP tools) and to inject content into agent system prompts; these actions are part of its claimed function and are not inherently privileged beyond normal file writes. Still, because generated artifacts can include executables and tooling for runtime, they should be audited before execution.
Scan Findings in Context
[system-prompt-override] expected: The skill must create and inject SYSTEM_PROMPT.md content for generated agents as part of its functionality, so prompt override patterns are expected. However, this capability is a high-risk vector for malicious prompt injection if templates or extensions contain untrusted content—review generated system prompts carefully before use.
What to consider before installing
This skill is a coherent AWP workflow/template generator, but it has two important risk areas you should consider before using it: (1) It can inject arbitrary text into generated agents' system prompts (a legitimate feature for customizing agents) — that same mechanism can be used to override safety rules or exfiltrate data if templates or extensions are malicious or unreviewed. (2) Several included templates produce code for MCP tools or adapters that can perform network calls or execute shell commands (e.g., infra.run_command). Recommended precautions: review all generated files (SYSTEM_PROMPT.md, agent.py, mcp/*, any shell-invoking code) before running them; do not run generated workflows in production or with real credentials until audited; restrict or sandbox execution (no network or privileged shell access) when testing; and avoid supplying unrelated secrets or API keys to this skill. If you plan to use extensions (devops/financial), read their extra rules (safety_checker, risk_assessor) and enforce the required safety gates the templates assume.
!
adapters/cloudflare-dynamic-workers.md:53
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk97377g28wtq3wh7yjy79km2kh83gpcb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments