← Back to Skills Marketplace
51
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install flow-automation
Description
Create and manage automation workflows for repetitive tasks. Use when user needs to schedule periodic data sync, chain API calls, set up triggered actions, b...
README (SKILL.md)
Automation Workflow
Create and manage automation workflows for repetitive tasks.
Quick Start
# Install dependencies
pip install schedule requests
# Run a simple workflow
python scripts/workflow.py examples/simple.yaml
Core Concepts
- Trigger: What starts the workflow (time, webhook, file change)
- Actions: What gets executed (API calls, notifications, data transformations)
- Flow Control: Conditions, loops, error handling
Workflow Format (YAML)
name: daily-report
trigger:
type: schedule
cron: "0 9 * * *" # Daily at 9am
actions:
- name: fetch-data
type: http
config:
url: https://api.example.com/data
method: GET
- name: process
type: transform
config:
template: "Report: {{results.count}} items"
- name: notify
type: telegram
config:
chat_id: "{{env.CHAT_ID}}"
message: "{{processed}}"
Supported Triggers
- schedule: Cron-based scheduling
- webhook: HTTP POST/GET triggers
- file: Watch for file changes
- queue: Message queue triggers
Supported Actions
- http: Make HTTP requests
- telegram: Send Telegram messages
- email: Send emails
- transform: Data transformation
- storage: Save/load data
Usage Examples
See references/examples.md for more.
Daily Report Workflow
name: daily-sales
trigger:
type: schedule
cron: "0 8 * * *"
actions:
- type: http
name: get-sales
config:
url: https://api.shop.com/sales
- type: transform
name: format
config:
template: "Sales: ${{results.total}}"
- type: telegram
name: send
config:
message: "{{formatted}}"
Webhook Trigger
name: github-webhook
trigger:
type: webhook
path: /webhook/github
actions:
- type: transform
name: parse
config:
template: "New {{payload.action}} on {{payload.repository}}"
Script Usage
python scripts/workflow.py [OPTIONS]
Options:
--file PATH Workflow YAML file (required)
--run-once Run workflow once and exit
--daemon Run as background daemon
--env FILE Load environment variables
Best Practices
- Use environment variables for secrets
- Add error handling for each action
- Log actions for debugging
- Test workflows with --run-once first
Usage Guidance
This skill is plausible for running scheduled API calls and sending Telegram messages, but it has several red flags and bugs. Before installing or running: (1) review and fix the code's TLS handling — it disables SSL verification for outbound requests (insecure); (2) do not run it with sensitive credentials until you confirm how templates access environment variables — the template interpolation is simplistic and the docs' {{env.KEY}} usage may not work as expected; (3) the SKILL.md claims features (webhook triggers, file watchers, queue triggers, email/storage actions) that the script does not implement — treat those docs as inaccurate; (4) do not point workflows at untrusted external endpoints or supply real secrets in .env until you confirm where data is sent; (5) consider running in an isolated environment (container or VM) and inspect/patch the code (enable proper TLS verification, implement safe template resolution, and explicitly declare required env vars) before using in production.
Capability Analysis
Type: OpenClaw Skill
Name: flow-automation
Version: 1.0.0
The skill bundle contains significant security vulnerabilities in 'scripts/workflow.py'. Specifically, the script explicitly disables SSL certificate verification (setting 'verify_mode' to 'ssl.CERT_NONE' and 'check_hostname' to 'False') for both generic HTTP actions and Telegram notifications, exposing the agent to Man-in-the-Middle (MITM) attacks. Furthermore, the workflow engine injects the entire process environment ('os.environ') into the template context, which allows any workflow YAML to easily exfiltrate sensitive system secrets or API keys via the 'http' action. While these are critical security flaws, they appear to be poorly implemented features rather than intentional malware.
Capability Assessment
Purpose & Capability
The name/description (general-purpose automation: schedules, webhooks, file watchers, queues, storage, email) is broader than the shipped implementation. The Python script implements scheduled workflows, http, telegram, transform, and log actions only; webhook/file/queue triggers and actions like email/storage referenced in SKILL.md are not implemented. The SKILL metadata declares no required credentials while the code expects TELEGRAM_BOT_TOKEN for Telegram actions (and examples include .env use). These mismatches suggest sloppy or incomplete implementation.
Instruction Scope
SKILL.md instructs installing 'schedule' and 'requests' and using YAML placeholders like {{env.CHAT_ID}}. The runner loads an .env file into os.environ and exposes environment in context, but the interpolation implementation is a very simple string replace that does not support nested keys (e.g., {{env.KEY}}) as the docs imply — templates in the docs will often not work as advertised. The script also disables TLS verification for outbound HTTP(s) (ssl.CERT_NONE), which is insecure and increases risk if workflows contact untrusted endpoints. The instructions ask users to put secrets in .env; the code will load whatever file is provided and make network requests, so users could accidentally expose secrets to external endpoints defined in workflows.
Install Mechanism
There is no install spec (instruction-only install). SKILL.md recommends 'pip install schedule requests'. The code imports requests but does not actually use it; this is likely harmless but inconsistent. No downloads or archive extraction are performed.
Credentials
The skill metadata declares no required environment variables, but the code expects TELEGRAM_BOT_TOKEN for Telegram actions and examples show TELEGRAM_BOT_TOKEN and REPORT_CHAT_ID in .env. Requiring a bot token is reasonable for Telegram functionality, but the omission from metadata is a transparency issue. Because the runner can load any .env file the user supplies, there is a risk of inadvertently exposing credentials to workflow-defined HTTP endpoints (especially with TLS verification disabled).
Persistence & Privilege
The skill is not always-enabled and does not request persistent system-wide privileges or modify other skills. It is an instruction-and-script package run by the user; autonomous invocation is allowed (default) which is expected for skills but not an additional flag here.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install flow-automation - After installation, invoke the skill by name or use
/flow-automation - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: YAML-based automation workflow engine
Metadata
Frequently Asked Questions
What is Automation Workflow?
Create and manage automation workflows for repetitive tasks. Use when user needs to schedule periodic data sync, chain API calls, set up triggered actions, b... It is an AI Agent Skill for Claude Code / OpenClaw, with 51 downloads so far.
How do I install Automation Workflow?
Run "/install flow-automation" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Automation Workflow free?
Yes, Automation Workflow is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Automation Workflow support?
Automation Workflow is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Automation Workflow?
It is built and maintained by BIN (@dinghaibin); the current version is v1.0.0.
More Skills