← Back to Skills Marketplace
4029
Downloads
3
Stars
40
Active Installs
1
Versions
Install in OpenClaw
/install workflow
Description
Build automated pipelines with reusable components, data flow between nodes, and state management.
Usage Guidance
Install only if you are comfortable treating this as workflow-authoring guidance that must be reviewed before execution. Do not expose the webhook example as written; add strict workflow-name allowlisting, resolved-path checks, signature and timestamp verification, and explicit user approval before running any selected workflow. Use least-privilege tokens, review generated run.sh files with dry-run first, and replace broad cron/removal/deletion examples with scoped, reversible procedures.
Capability Analysis
Type: OpenClaw Skill
Name: workflow
Version: 1.0.0
The skill bundle is primarily documentation for building automated workflows using standard Unix tools. It is classified as 'suspicious' due to a critical shell injection vulnerability identified in the `components.md` file, specifically within the 'Webhook Router (webhook-server.sh)' example. The example code directly uses an unsanitized `PATH` variable, derived from an incoming webhook request, to construct a `WORKFLOW` variable which is then used in a `cd` command and to execute `./run.sh`. This allows an attacker to inject arbitrary shell commands via the webhook path, leading to potential Remote Code Execution (RCE) if this example is implemented without proper input sanitization. There is no evidence of intentional malicious behavior, but this is a severe vulnerability.
Capability Assessment
Purpose & Capability
The skill's purpose is coherent: it teaches local workflow automation using shell scripts, jq/yq/curl, state files, logs, schedules, webhooks, and external notifications. Those capabilities are expected for this kind of skill.
Instruction Scope
The webhook router example derives the workflow name directly from an incoming request path, writes a trigger payload under that derived path, and starts ./run.sh with signature validation left as an unfinished comment. That is high-impact automatic execution from external input without enough scoping.
Install Mechanism
The bundle contains Markdown files only and no executable installer, binary, package script, or hidden startup mechanism. Required tools are disclosed as command-line dependencies.
Credentials
Local state, logs, intermediate JSON files, keychain-based secrets, curl calls, and cleanup commands are purpose-aligned, but the examples rely on users reviewing and constraining generated workflows before running them.
Persistence & Privilege
Cron scheduling and file-watcher/webhook triggers are disclosed and relevant to automation, but host crontab edits, broad crontab removal by grep, and rm -rf state/* recovery guidance lack strong guardrails or confirmation steps.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install workflow - After installation, invoke the skill by name or use
/workflow - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release
Metadata
Frequently Asked Questions
What is Workflow?
Build automated pipelines with reusable components, data flow between nodes, and state management. It is an AI Agent Skill for Claude Code / OpenClaw, with 4029 downloads so far.
How do I install Workflow?
Run "/install workflow" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Workflow free?
Yes, Workflow is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Workflow support?
Workflow is cross-platform and runs anywhere OpenClaw / Claude Code is available (linux, darwin).
Who created Workflow?
It is built and maintained by Iván (@ivangdavila); the current version is v1.0.0.
More Skills