v2.0.0

auto-workflow

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:22 AM.

Analysis

This is a legitimate-looking workflow engine, but it gives workflows broad power to run shell commands, modify or delete files, and run scheduled tasks, so it should be reviewed carefully before use.

GuidanceOnly use this skill if you need a powerful local automation engine. Review every workflow file like code, avoid untrusted workflow JSON, run it in a limited workspace/account, and confirm all shell commands, file paths, URLs, and scheduled jobs before enabling them.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution

SeverityHighConfidenceHighStatusConcern

scripts/workflow-engine.py

import subprocess ... elif action == 'shell.exec': return self.shell_exec(params)

Workflow steps dispatch to a shell execution action, and no command allowlist or approval boundary is shown around that action.

User impactA workflow definition can cause operating-system commands to run with the user's local permissions.

RecommendationTreat workflow JSON files as executable code; only run trusted workflows, require explicit confirmation for shell.exec, and disable or allowlist shell commands by default.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

scripts/workflow-engine.py

params = step.get('params', {}) ... elif action == 'file.delete': return self.file_delete(params) ... os.remove(path) ... shutil.rmtree(path)

File paths come from workflow step parameters, and the delete action can remove either files or entire directories with no path scope, dry-run, or confirmation shown.

User impactA mistaken or untrusted workflow could delete or move important local files that the user account can access.

RecommendationRun workflows in a restricted workspace or low-privilege account, add path allowlists, and require user confirmation before delete, move, archive extraction, or overwrite actions.

Rogue Agents

SeverityLowConfidenceMediumStatusNote

SKILL.md

auto-workflow run backup --source ~/documents --dest ~/backups --schedule "0 2 * * *"

The skill intentionally supports recurring scheduled workflows; this is disclosed, but lifecycle controls such as viewing, stopping, or limiting scheduled jobs are not described.

User impactA scheduled workflow may continue running later and repeatedly modify, back up, or clean up files after the initial setup.

RecommendationBefore enabling schedules, verify where they are registered, how to list and cancel them, and whether each recurring action has clear limits.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

metadata

Source: unknown; Homepage: none; Install specifications: No install spec — this is an instruction-only skill; Code file presence: scripts/workflow-engine.py

The package includes runnable code and documents CLI-style usage, but the source provenance and installation path are not clearly declared.

User impactUsers have less information for verifying where the engine came from or how the documented command is installed and invoked.

RecommendationVerify the publisher and package contents before use, and prefer a clearly documented installation path with reviewed code provenance.