ClawHub

Openclaw Workflow Publish

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real workflow automation skill, but installed workflows can run local code, make network requests, send messages, and touch OpenClaw session files with limited containment.

Install only if you intend to run trusted workflow YAML. Treat workflows as code with your user permissions: review every script/code/http/message/subagent step before running, avoid using it with sensitive environment variables, and do not run third-party YAML unless you would also run its shell commands directly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (24)

eval() call detected

High
Category
Dangerous Code Execution
Content
}

        try:
            return bool(eval(resolved_str, {"__builtins__": safe_builtins}, namespace))
        except Exception:
            return False
Confidence
99% confidence
Finding
return bool(eval(resolved_str, {"__builtins__": safe_builtins}, namespace))

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
except (ValueError, IndexError):
                    return None
            elif hasattr(obj, k):
                obj = getattr(obj, k)
            else:
                return None
        return obj
Confidence
72% confidence
Finding
obj = getattr(obj, k)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cwd = ctx.resolve(step.get("cwd")) if step.get("cwd") else None

    try:
        result = subprocess.run(
            command,
            shell=True,
            capture_output=True,
Confidence
99% confidence
Finding
result = subprocess.run( command, shell=True, capture_output=True, text=True, timeout=timeout, cwd=cwd, env=

Dangerous chain: exec() wrapping compile

Critical
Category
Dangerous Code Execution
Content
old_stdout = sys.stdout
    try:
        sys.stdout = captured
        exec(compile(code, "<openclaw-workflow-sandbox>", "exec"), namespace)
        sys.stdout = old_stdout

        # 优先使用 ctx_export() 的值,其次检查 namespace 中的 result 变量
Confidence
99% confidence
Finding
exec(compile(code, "<openclaw-workflow-sandbox>", "exec"), namespace)

exec() call detected

High
Category
Dangerous Code Execution
Content
old_stdout = sys.stdout
    try:
        sys.stdout = captured
        exec(compile(code, "<openclaw-workflow-sandbox>", "exec"), namespace)
        sys.stdout = old_stdout

        # 优先使用 ctx_export() 的值,其次检查 namespace 中的 result 变量
Confidence
98% confidence
Finding
exec(compile(code, "<openclaw-workflow-sandbox>", "exec"), namespace)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documentation claims the `code` node runs in a sandbox, but elsewhere states that workflow variables, prior step outputs, and environment data are injected into inline Python. If the execution environment also permits file operations as indicated by the static findings, this is not a meaningful sandbox and could allow secret access, data tampering, or local command/file abuse under a false sense of safety.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This example workflow demonstrates host shell execution and outbound HTTP requests, which materially expand the skill's capabilities beyond simple workflow control into code execution and network interaction. Even as a test/example file, it normalizes dangerous primitives that could be reused to run arbitrary commands, exfiltrate data, or interact with untrusted external services if users execute it without clear isolation and consent.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The workflow reads environment variables such as HOME and USER and writes them to output, exposing host-specific information unrelated to basic workflow-control testing. Environment variables often contain sensitive paths, usernames, tokens, or deployment metadata, so demonstrating this pattern can lead to accidental information disclosure when copied into real workflows.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The workflow retrieves public IP information via an external service, introducing network-visible environment discovery that is not reflected in the stated skill purpose of deterministic workflow orchestration. Even though the data is limited to public IP metadata, this can expose deployment or user environment details and normalizes undisclosed outbound telemetry-like behavior in example workflows.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The template syntax allows any `{{env.VAR}}` lookup, which exposes process environment secrets such as API keys, tokens, cloud credentials, and internal configuration to workflow authors or untrusted inputs. In an agent/workflow product, templates often flow into prompts, logs, external tools, and outputs, so secret exfiltration risk is substantial.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
list_workflows() recursively scans both the skill examples directory and the entire user workspace under ~/.openclaw/workspace, opening and parsing every YAML/YML file it finds. In an agent skill context, this broad discovery behavior can expose unrelated user data, metadata, and file paths to the skill and increases the blast radius well beyond what is needed to execute a specified workflow.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The file implements a general-purpose automation engine with shell execution, HTTP, code execution, agent/skill invocation, subagents, and outbound messaging, which materially exceeds a narrowly described deterministic workflow-control capability. This breadth increases attack surface and enables the skill to act as a powerful execution/orchestration substrate rather than just deterministic control flow.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Arbitrary shell command execution is far beyond what is necessary for deterministic branching, looping, waiting, and state management. Because commands and inline Python are workflow-controlled and template-resolved, this grants a workflow author a straightforward host-level execution channel.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The HTTP node allows arbitrary outbound requests with caller-controlled URL, headers, body, and params, which is not required for pure deterministic workflow control. In an agent environment this can be abused for SSRF, internal service probing, secret exfiltration, or unauthorized interaction with third-party systems.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The message node can send messages to arbitrary targets through either the agent or direct CLI, which exceeds the stated workflow-control scope and creates a direct external-action channel. This can be abused for spam, social engineering, data leakage, or unauthorized notifications triggered by workflows.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The module documentation states that interaction no longer forks subprocesses, yet the code later launches subprocesses for script execution and message delivery. This misleading claim can cause reviewers or operators to underestimate the risk profile and enable a dangerous capability under false assumptions.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The module advertises itself as a 'safe' sandbox, yet SAFE_BUILTINS explicitly includes open, allowing untrusted inline code to read and write arbitrary files accessible to the process. This mismatch can cause developers to trust the boundary and expose the feature to hostile workflow input, leading to data theft, tampering, or credential disclosure.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The API presents a timeout parameter but explicitly does not enforce it, so untrusted code can run indefinitely with while-loops, heavy computation, or memory abuse. In an agent/workflow engine this enables denial of service, stalled automation, and resource exhaustion across the hosting process.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README advertises high-impact capabilities such as shell/Python execution, HTTP requests, agent/subagent invocation, and external messaging, but it does not warn users about possible system modification, data exfiltration, network access, or external side effects. In a workflow engine that emphasizes deterministic automation, users may trust YAML scripts to be routine while overlooking that they can trigger powerful actions non-interactively and at scale.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill documents a `message` node that can send content to real recipients, including phone-number style targets, without warning that workflow-generated or agent-generated output may be transmitted externally. In this context, a malicious or mistaken workflow could spam users, leak sensitive data, or send unauthorized notifications.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The HTTP node examples show arbitrary outbound requests with authorization headers and body content interpolation, but there is no warning about data exfiltration, credential leakage, or third-party transmission. Because workflow variables may contain model outputs, prior step data, or secrets, this creates a straightforward exfiltration path.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The variable syntax explicitly exposes environment variables such as `{{env.HOME}}` without warning that environment state may include API keys, tokens, or other secrets. In a workflow engine that also supports HTTP, messaging, scripts, and code execution, env access materially increases the chance of secret disclosure or misuse.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The HTTP example sends workflow-derived data such as user name and count to an external service without any inline warning, consent mechanism, or disclosure in the manifest. In a real environment, this pattern can easily become silent data egress, especially when users substitute sensitive context variables into requests to third-party endpoints.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The example logs environment variables directly to output without warning the user that host metadata may be exposed. This creates an information-disclosure pattern that is easy to replicate and may leak sensitive runtime details in logs, transcripts, or downstream systems.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal