Agile Workflow
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real workflow engine, but it asks to run persistent background automation and includes broad shell/process control plus an apparent hardcoded secret, so it needs review before installation.
Only install this in an isolated environment after reviewing the code and all referenced scripts. Avoid enabling cron, nohup, autoTrigger, or autoLearn unless you intentionally want a persistent background workflow engine. Check for and remove hardcoded secrets, restrict shell/process operations, and confirm there is a clear way to stop, disable, and clean up the skill.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The workflow engine may continue monitoring, learning, and starting work in the background, consuming resources or changing workflow state after the user thinks the task is done.
The skill instructs users to enable automatic triggering/learning and run the engine as a background daemon plus recurring cron jobs, allowing it to keep acting after the immediate user request.
"autoTrigger": true ... "autoLearn": true ... nohup node /home/ubutu/.openclaw/workspace/skills/agile-workflow/core/agile-workflow-engine.js start ... & ... */1 * * * * node ... monitor --quiet
Do not enable nohup or cron by default. Require explicit opt-in, document how to stop/remove all background jobs, and keep autoTrigger/autoLearn disabled unless the user intentionally wants persistent automation.
The skill could terminate agent or OpenClaw-related processes unexpectedly, interrupting other work or causing data loss in active sessions.
The code uses a broad pattern-based process kill command with a variable agent type. In an autonomous agent pool, this can affect other matching OpenClaw processes, not just a single tracked child process.
execSync(`pkill -f "openclaw.*--agent.*${agentType}" || true`, { stdio: 'ignore' });Use exact tracked PIDs instead of pkill patterns, restrict allowed agent types, and require user confirmation before terminating processes outside the skill’s own children.
A bad configuration or manipulated value could cause the skill to run commands the user did not intend.
A configured script name and temp file are interpolated into a shell command. Without visible allowlisting or argument separation, this creates a path for unintended command execution.
exec(`${config.submitScript} ${tempFile}`, (error, stdout, stderr) => {Avoid shell interpolation; use spawn/execFile with an argument array, validate submitScript against an allowlist, and require approval before running configured scripts.
Users may run updated or unreviewed code, or configure a scheduled job for a helper whose contents were not provided for review.
The skill asks users to pull mutable code, install packages, and schedule a helper script. The referenced auto-spec-discovery.sh is not listed in the supplied file manifest, and these setup requirements are not captured by an install spec.
git pull origin main ... npm install --omit=dev ... 0 3 * * * /home/ubutu/.openclaw/workspace/skills/agile-workflow/scripts/auto-spec-discovery.sh --quiet
Pin release sources and dependencies, include every referenced helper script in the package, and move setup requirements into a reviewed install specification.
An embedded or undeclared password may expose a shared backend credential or give the skill access that users did not expect.
The static scan reports a hardcoded password-like literal in the cache backend, while the registry metadata declares no primary credential or required environment variables.
this.password = [REDACTED] || null;
Remove hardcoded secrets, rotate any exposed credential, use environment variables or a secret manager, and declare any required credential in metadata.
Bad, stale, or sensitive past task signals could influence future workflows without the user realizing it.
The skill records workflow results and automatically applies learned optimizations, but the artifacts do not clearly define retention, review, reset, or scope boundaries for this persistent learning.
执行 → 记录结果 → 分析模式 → 生成优化 → 应用优化 ... "autoLearn": true
Make learning opt-in, document where learned data is stored, provide reset/delete controls, and require user review before applying learned optimizations.
Users may place too much trust in the automation and enable persistent execution without appreciating the residual operational risks.
The documentation makes absolute safety claims such as zero risk and 100% elimination, which are not supported by the broad background execution and shell-control behavior shown elsewhere.
| 数据污染风险 | ⚠️ 中等 | 🟢 零 | ✅ 100% 消除 | ... | 并发安全 | 🔴 高风险 | 🟢 零风险 | ✅ 架构级 |
Replace absolute safety claims with specific guarantees, limitations, and clear warnings about background execution, shell commands, process management, and persistent learning.