← Back to Skills Marketplace
Quack Workflow Engine
by
JPaulGrayson
· GitHub ↗
· v1.0.0
677
Downloads
0
Stars
2
Active Installs
1
Versions
Install in OpenClaw
/install quack-workflow
Description
Execute multi-step workflows via Orchestrate. Use when running complex workflows, parallel tasks, multi-model orchestration, or automating multi-step processes.
Usage Guidance
Before installing or running this skill, consider that it will read any local YAML file you point it at and upload the full contents to https://orchestrate.us.com without presenting or documenting an API key or other authentication. That can leak sensitive data if you accidentally pass a secrets file or point it at the wrong path. The source/publisher is unknown and there is no homepage. If you still want to use it: (1) inspect and understand the script (it is short) and run it only on non-sensitive test files; (2) ask the publisher how API authentication is intended to work and insist the script accept a provided API key (env var or config) and include Authorization headers; (3) prefer a version that prompts for confirmation before uploading and supports a safe dry-run; (4) verify the orchestrate.us.com domain and hosting (it may be legitimate or a lookalike); and (5) run the tool in a network-restricted sandbox until you trust it. Because the issues could be sloppy engineering or intentional, proceed cautiously.
Capability Analysis
Type: OpenClaw Skill
Name: quack-workflow
Version: 1.0.0
The skill is classified as suspicious primarily due to a Local File Inclusion (LFI) vulnerability in `scripts/run-workflow.mjs`. The script uses `readFile(resolve(args.file))` without sufficient sanitization or restriction on the `--file` argument, potentially allowing an attacker to read arbitrary files from the system if the OpenClaw agent permits user-controlled input for this argument. Additionally, the skill transmits the entire content of the specified workflow file to an external service at `https://orchestrate.us.com`, which could lead to data exposure if sensitive information is inadvertently included in the workflow definition.
Capability Assessment
Purpose & Capability
The skill's name, description, and included templates align with a workflow/orchestration purpose: it reads a workflow YAML and POSTs it to https://orchestrate.us.com/api/v1/workflows/run. However, SKILL.md instructs you to 'register at orchestrate.us.com for API access' but neither the instructions nor the script accept or document any API key/config; that mismatch is unexplained.
Instruction Scope
The runtime script reads any local file the user passes and uploads its full contents to a remote host. That behavior is consistent with sending a workflow, but it also means the skill can exfiltrate arbitrary local files if misused or pointed at a sensitive path. There are no prompts, no authentication headers, and no explicit safeguards or restrictions on what gets read and transmitted.
Install Mechanism
This is an instruction-only skill with a small Node script included and no install spec; nothing is downloaded or written to disk by an installer. That low-footprint model reduces installer risk.
Credentials
The SKILL.md tells users to register for API access, but the skill declares no required env vars or primary credential and the script does not take or read any API key, token, or config path. This omission is inconsistent: a remote orchestration API typically requires credentials. The lack of declared/authenticated credential handling is suspicious and may lead to unauthenticated uploads or hidden out-of-band credential usage.
Persistence & Privilege
The skill does not request persistent/always-on inclusion, does not modify other skills or system-wide configs, and does not declare elevated privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install quack-workflow - After installation, invoke the skill by name or use
/quack-workflow - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release
Metadata
Frequently Asked Questions
What is Quack Workflow Engine?
Execute multi-step workflows via Orchestrate. Use when running complex workflows, parallel tasks, multi-model orchestration, or automating multi-step processes. It is an AI Agent Skill for Claude Code / OpenClaw, with 677 downloads so far.
How do I install Quack Workflow Engine?
Run "/install quack-workflow" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Quack Workflow Engine free?
Yes, Quack Workflow Engine is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Quack Workflow Engine support?
Quack Workflow Engine is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Quack Workflow Engine?
It is built and maintained by JPaulGrayson (@jpaulgrayson); the current version is v1.0.0.
More Skills