Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agile Workflow

v7.18.1

全自动敏捷协作工作流引擎 v7.18.1 - 细纲串行+正文并行、并发安全架构、零数据污染、智能合并

⭐ 0· 245·0 current·0 all-time

by@xbcs

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The name, description and many included JS modules (agent manager, scheduler, circuit breaker, llm-gateway, token manager, etc.) are internally consistent with an on-host workflow engine. However the metadata claims 'instruction-only' / no install spec while the bundle contains dozens of executable code files — that mismatch is unexpected and worth noting. The engine's need to run background processes and modify its own agent config is reasonable for this purpose.

Instruction Scope

SKILL.md instructs editing ~/.openclaw/openclaw.json, creating crontab entries, running node on explicit absolute paths (e.g., /home/ubutu/.openclaw/...), and running background nohup processes. Those actions give the skill persistent runtime presence and cause it to execute bundled JS code on the host. Additionally, the pre-scan flagged a 'system-prompt-override' pattern in SKILL.md — instructions may attempt to influence model/system prompts. These instructions go beyond a simple helper and warrant manual code review before enabling.

ℹ

Install Mechanism

No install specification is provided (the registry metadata says 'instruction-only'), yet the package includes many code files and scripts meant to be executed. The absence of an install step means the skill expects manual git/npm steps and direct node execution; that's not inherently malicious but increases the risk that bundled code will be executed with host privileges without an automated vetted install process. No remote download URLs were present in the SKILL.md, which reduces one class of risk.

ℹ

Credentials

The skill does not request environment variables or external credentials, which aligns with its stated purpose. However the runtime instructions write and read host-specific paths (e.g., ~/.openclaw/openclaw.json, /home/ubutu/.openclaw/..., /workspace/logs/...) and add crontab entries. Those file and crontab modifications are proportionate for a service but still grant persistent access to logs/configs — review whether those paths overlap with sensitive data on your host.

ℹ

Persistence & Privilege

The skill does not set always:true and does not declare extra credentials, but the SKILL.md explicitly directs enabling the skill in agent config and adding crontab/nohup entries to run the engine continuously. That grants long-term execution capability on the host (normal for a workflow engine), so only proceed after code review. This persistent presence combined with the prompt-injection signal increases risk.

Scan Findings in Context

[system-prompt-override] unexpected: The static pre-scan flagged inline pattern(s) consistent with attempts to alter system/model prompts. There are many files and runtime instructions that would let the skill execute arbitrary JS; a prompt-override directive in the SKILL.md is not required for an on-host workflow engine and is suspicious — inspect SKILL.md and code for any instructions that attempt to change or inject model/system prompts.

What to consider before installing

This package appears to be a full workflow engine and includes many executable JavaScript files plus instructions to enable background services and edit your agent config. Before installing or enabling: 1) Do not add the crontab entries or enable autoTrigger until you audit the code. 2) Inspect key files locally (llm-gateway.js, agent-manager.js, any files that use network, child_process, fs, or eval) for outbound endpoints, hard-coded URLs, or code that reads unrelated host files. 3) Search the code for child_process.exec/spawn, net/http/axios/fetch, websocket/socket usage, and any calls that post data externally. 4) Pay special attention to SKILL.md content flagged as 'system-prompt-override' — remove or question any lines that attempt to change model/system prompts. 5) Check package.json and package-lock.json for unexpected dependencies; run static scans (SAST) and dynamic tests in an isolated VM or container. 6) If you must test on your machine, run the service in a sandboxed account with no access to sensitive files and avoid enabling persistent crontab/nohup until you are confident. If you want, I can list high-priority files/strings to inspect (network calls, credential patterns, child_process) or help generate a review checklist.

✗

backups/20260315_215924/agile-workflow-engine-v5.js:588