Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Workflow Automation Cn
v1.0.0自动化工作流生成器 - 用自然语言描述需求,自动生成 OpenClaw 心跳脚本。适合:想自动化日常任务的开发者。
⭐ 0· 377·4 current·4 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to generate OpenClaw heartbeat automation scripts and the SKILL.md contains multiple Python script templates and heartbeat instructions — that aligns with the stated purpose. However the manifest requires both python3 and node; the documentation and templates only show Python usage and never reference Node. Requiring Node is unexplained and disproportionate to the visible functionality.
Instruction Scope
Instructions explicitly direct creating, editing, and executing scripts under ~/.openclaw/workspace and editing HEARTBEAT.md; they reference reading/writing files (e.g., /tmp/last_price.json, ~/.openclaw/workspace/memory/*) and calling external APIs (Binance, Telegram, example API). That is consistent with a workflow generator, but the instructions are somewhat open-ended about 'configure heartbeat' and lack concrete safeguards — they assume the agent or user will write scripts into the user's home directory and add them to heartbeat triggers. The agent is not instructed to collect unrelated system data, but it is expected to create/modify files in the user's environment.
Install Mechanism
This is an instruction-only skill with no install spec and no code files; nothing will be written by an installer. That reduces installation risk.
Credentials
The skill declares no required environment variables or credentials, yet example scripts include placeholders for sensitive values (Telegram bot token, chat ID) and recommend using environment variables. The manifest does not request any credentials, which is acceptable, but the skill will create scripts that may require secrets to function. The unexplained requirement for the Node binary is a mismatch. The skill's source is unknown and homepage is none, increasing trust risk.
Persistence & Privilege
always is false and the skill is user-invocable (normal). The instructions direct the agent/user to write scripts into ~/.openclaw and to add entries to HEARTBEAT.md; this is expected for a workflow automation tool. There is no instruction to modify other skills' configs or system-wide settings beyond the user's OpenClaw workspace. Because the skill can create executable scripts that will run on a schedule, the user should review generated code before enabling it in heartbeat.
Scan Findings in Context
[no_findings] expected: Regex scanner found nothing to analyze because this is an instruction-only skill (no code files). The security surface is the SKILL.md content itself.
What to consider before installing
This skill appears to do what it says (generate Python heartbeat scripts) but there are a few items to check before installing or using it: (1) Confirm why Node is required — if you don't use Node features, you can avoid installing it or ask the author to remove that requirement. (2) Review any generated scripts before adding them to your heartbeat: they will be created under ~/.openclaw and may be executed automatically by your scheduler. Look for hard-coded secrets — replace them with environment variables or secret storage. (3) Because the skill's source and homepage are unknown, prefer manual review and local testing (run scripts manually with python3) before enabling scheduled/automated execution. (4) Do not place real API keys or bot tokens directly into generated files; store them in environment variables or a secrets manager. If you need higher assurance, ask the publisher for provenance or a reproducible changelog before use.Like a lobster shell, security has layers — review code before you run it.
latestvk977kh7yjs28shn8fqfp75a9td82vs0e
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⚡ Clawdis
Binspython3, node