← Back to Skills Marketplace
workflow-migrate
by
kevdogg102396-afk
· GitHub ↗
· v1.0.0
511
Downloads
1
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install workflow-migrate
Description
Migrate N8N/Zapier/Make workflows to production-grade Python or Node.js scripts. Given a workflow description or paste, rewrites automation logic with retry,...
Usage Guidance
This skill appears to do what it says (generate production-style scripts) but has some inconsistencies you should address before installing: 1) The SKILL.md templates expect API keys and a .env file, but the skill metadata doesn't declare any required credentials — confirm with the author which secrets you'll need and how they should be provided. 2) The allowed-tools include filesystem and shell access; avoid granting the agent access to workspace files that contain unrelated secrets (home dir, CI/CD credentials, SSH keys, etc.). 3) Inspect any generated scripts for hardcoded endpoints, excessive logging of sensitive payloads, and proper error handling before running them in production. 4) Run generated code in a sandbox or isolated environment, and rotate any secrets used for initial testing. If you need higher assurance, ask the publisher for an explicit list of required env vars and a minimal reproduction that shows exactly which files will be read/written.
Capability Analysis
Type: OpenClaw Skill
Name: workflow-migrate
Version: 1.0.0
The skill is classified as suspicious due to significant prompt injection and code generation vulnerabilities, amplified by broad permissions. The agent is instructed to generate executable Python/Node.js scripts based on user input, which presents a code injection risk. Critically, the agent is also instructed to generate a new `SKILL.md` file (Step 6), which is an agent instruction file, creating a direct prompt injection surface where malicious user input could lead to the agent executing arbitrary commands or revealing sensitive information. The `allowed-tools` include `Bash`, `Read`, `Write`, and `Edit`, providing extensive capabilities that could be abused if these vulnerabilities are exploited. There is no clear evidence of intentional malicious behavior by the skill owner, but the potential for exploitation is high.
Capability Assessment
Purpose & Capability
The skill's name and description match the SKILL.md: it parses workflow descriptions and outputs runnable Python/Node scripts. However, the templates it generates assume use of environment variables (API_KEY, WEBHOOK_URL, etc.), .env files, and filesystem logging — none of which are declared in the skill metadata. That mismatch is noteworthy but may be an omission rather than malicious intent.
Instruction Scope
SKILL.md instructs the agent to parse user-provided workflow JSON/pastes, ask clarifying questions, and then generate, write, and edit full scripts (including config loading and log file creation). The declared allowed-tools (Read, Write, Edit, Bash, Glob, Grep, WebSearch) give the agent filesystem and shell capability; the instructions don't explicitly tell the agent to read arbitrary host files, but generated templates call load_dotenv() / require('dotenv') which will read a .env file if present. That combination gives the agent potential to read environment files in the workspace—this is within scope for code-generation but increases the risk of accidental exposure of unrelated secrets if the agent is granted broad file access.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. No downloads, package installs, or external installers are specified in the metadata.
Credentials
The skill metadata declares no required environment variables or credentials, yet the code templates expect secrets via environment variables (.env) such as API_KEY and WEBHOOK_URL. Requiring user API keys to reach third‑party APIs is reasonable, but the omission in metadata is a mismatch: the skill does not explicitly request those secrets up front, and the allowed-tools set could let the agent access .env or other local credential files. This creates an unclear credential surface and potential for accidental exposure or misuse of unrelated secrets.
Persistence & Privilege
always is false and the skill is user-invocable (normal). The skill writes generated scripts and log files per its instructions, which is expected behavior for a code-generation/migration tool; there is no indication it tries to modify other skills or system-wide agent settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install workflow-migrate - After installation, invoke the skill by name or use
/workflow-migrate - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
workflow-migrate 1.0.0
- Initial release of workflow-migrate.
- Converts N8N, Zapier, or Make workflows into production-ready Python or Node.js scripts.
- Adds retry, exponential backoff, logging, and self-healing (alerts, idempotency, dead-letter queue, heartbeats) to migrated scripts.
- Guides users interactively when workflow input is vague.
- Generated scripts are runnable, testable, and billable as deliverables.
Metadata
Frequently Asked Questions
What is workflow-migrate?
Migrate N8N/Zapier/Make workflows to production-grade Python or Node.js scripts. Given a workflow description or paste, rewrites automation logic with retry,... It is an AI Agent Skill for Claude Code / OpenClaw, with 511 downloads so far.
How do I install workflow-migrate?
Run "/install workflow-migrate" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is workflow-migrate free?
Yes, workflow-migrate is completely free (open-source). You can download, install and use it at no cost.
Which platforms does workflow-migrate support?
workflow-migrate is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created workflow-migrate?
It is built and maintained by kevdogg102396-afk (@kevdogg102396-afk); the current version is v1.0.0.
More Skills