Workflow Automation Cn
PassAudited by ClawScan on May 10, 2026.
Overview
This instruction-only skill is coherent for creating scheduled automation scripts, but users should review any generated scripts before enabling recurring heartbeat execution.
This skill does not include executable code at install time, and its instructions match its automation purpose. Before installing or using it, be prepared to inspect generated Python scripts, confirm any API or publishing actions, store credentials outside the script body, and keep a list of heartbeat tasks so you can disable recurring automations later.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A generated script could run commands, make network requests, or modify files depending on the user's automation request.
The skill explicitly has the agent generate executable Python and configure it to run. This is the core purpose of the skill, but generated code should be reviewed before execution.
Agent 会: 1. 理解需求 2. 生成 Python 脚本 3. 配置心跳触发
Review the generated script, test it manually, and only then add it to heartbeat scheduling.
Automations may keep running on a schedule and continue sending notifications, calling APIs, or changing files until the heartbeat entry is removed.
The skill documents recurring heartbeat-triggered automations. This persistence is disclosed and purpose-aligned, but recurring tasks can continue operating after the initial request.
## 心跳配置 ### HEARTBEAT.md 示例 - 09:00 → 日报发送 - */4h → API 调用 - */10m → 价格监控
Track every heartbeat entry the skill creates and remove or disable tasks that are no longer needed.
A generated automation could publish content or call an API repeatedly if configured that way.
The supported workflows include automated posting and API calls. These are expected for a workflow automation skill, but they can affect external services or public content.
| 内容发布 | 自动发文章 | ⭐⭐ | | API 调用 | 定时调用接口 | ⭐⭐ |
Confirm the destination service, frequency, and approval requirements before enabling publishing or API-calling automations.
If real tokens are placed directly in generated scripts, anyone with access to the file may be able to use that bot or notification account.
The notification template uses provider credentials as placeholders, and the skill also advises using environment variables for sensitive information. This is expected for Telegram notifications, but users should handle tokens carefully.
bot_token = "YOUR_BOT_TOKEN" chat_id = "YOUR_CHAT_ID"
Store real tokens in environment variables or a secure secret store, and limit token permissions where possible.