← 返回 Skills 市场

Workflow Orchestrator

Name: Workflow Orchestrator
Author: trypto1019

作者 ArcSelf · GitHub ↗ · v1.1.0

darwinlinux ⚠ suspicious

1800

总下载

当前安装

版本数

在 OpenClaw 中安装

/install arc-workflow-orchestrator

功能描述

Chain skills into automated pipelines with conditional logic, error handling, and audit logging. Define workflows in YAML or JSON, then execute them hands-fr...

使用说明 (SKILL.md)

Workflow Orchestrator

Chain skills into automated pipelines. Define a sequence of steps, and the orchestrator runs them in order with conditional logic, error handling, and optional audit logging.

Why This Exists

Agents run multiple skills but manually. Scan a skill, diff against the previous version, deploy if safe, log the result. That's 4 steps, 4 commands, and one missed step means a gap in your process. Workflows automate the sequence and ensure nothing gets skipped.

Commands

Run a workflow from a YAML file

python3 {baseDir}/scripts/orchestrator.py run --workflow workflow.yaml

Run a workflow from JSON

python3 {baseDir}/scripts/orchestrator.py run --workflow workflow.json

Dry run (show steps without executing)

python3 {baseDir}/scripts/orchestrator.py run --workflow workflow.yaml --dry-run

List available workflow templates

python3 {baseDir}/scripts/orchestrator.py templates

Validate a workflow file

python3 {baseDir}/scripts/orchestrator.py validate --workflow workflow.yaml

Workflow Format (YAML)

name: secure-deploy
description: Scan, diff, deploy, and audit a skill update
steps:
  - name: scan
    command: python3 ~/.openclaw/skills/skill-scanner/scripts/scanner.py scan --path {skill_path} --json
    on_fail: abort
    save_output: scan_result

  - name: diff
    command: python3 ~/.openclaw/skills/skill-differ/scripts/differ.py diff {skill_path} {previous_path}
    on_fail: warn

  - name: deploy
    command: python3 ~/.openclaw/skills/skill-gitops/scripts/gitops.py deploy {skill_path}
    condition: scan_result.verdict != "CRITICAL"
    on_fail: rollback

  - name: audit
    command: python3 ~/.openclaw/skills/compliance-audit/scripts/audit.py log --action "skill_deployed" --details '{"skill": "{skill_name}", "scan": "{scan_result.verdict}"}'
    on_fail: warn

Step Options

name — Human-readable step name
command — Shell command to execute (supports variable substitution)
on_fail — What to do if the step fails: abort (stop workflow), warn (log and continue), rollback (undo previous steps), retry (retry up to 3 times)
condition — Optional condition to check before running (references saved outputs)
save_output — Save stdout to a named variable for use in later steps
timeout — Max seconds to wait (default: 60)

Variable Substitution

Use {variable_name} in commands to reference:

Workflow-level variables defined in the vars section
Saved outputs from previous steps
Environment variables with {env.VAR_NAME}

Built-in Templates

The orchestrator ships with these workflow templates:

secure-deploy — Scan → Diff → Deploy → Audit
daily-scan — Scan all installed skills, report findings
pre-install — Scan → Typosquat check → Install → Audit

Example: Secure Deploy Pipeline

name: secure-deploy
vars:
  skill_path: ~/.openclaw/skills/my-skill
  skill_name: my-skill
steps:
  - name: security-scan
    command: python3 ~/.openclaw/skills/skill-scanner/scripts/scanner.py scan --path {skill_path} --json
    save_output: scan
    on_fail: abort
  - name: deploy
    command: echo "Deploying {skill_name}..."
    condition: "CRITICAL not in scan"
    on_fail: abort
  - name: log
    command: python3 ~/.openclaw/skills/compliance-audit/scripts/audit.py log --action workflow_complete --details '{"workflow": "secure-deploy", "skill": "{skill_name}"}'

Tips

Start with --dry-run to verify your workflow before executing
Use on_fail: abort for security-critical steps
Chain with the compliance audit skill for full traceability
Keep workflows in version control for reproducibility

安全使用建议

This skill is plausible for automating local pipelines, but there are important inconsistencies to address before trusting it: (1) The SKILL.md says you can use {env.VAR_NAME}, but the code blocks env substitution — so environment values will not be injected as documented. (2) The script blocks many shell metacharacters (including '{','}','$', '|', ';', etc.), yet examples and templates include JSON blobs and other characters that will likely cause the orchestrator to 'BLOCK' those steps. (3) The orchestrator executes arbitrary local commands and other skill scripts under your user account — review any workflows and the target scripts (~/.openclaw/skills/...) for sensitive file reads or network calls before running. Recommended precautions: run with --dry-run first, inspect and test workflows and templates locally, verify PyYAML behavior if you use YAML workflows, and only point workflows at trusted skill scripts. If you need environment-variable substitution or JSON payloads in commands, either modify the orchestrator to safely support them or avoid using this skill until those mismatches are fixed.

功能分析

Type: OpenClaw Skill Name: arc-workflow-orchestrator Version: 1.1.0 The `SKILL.md` documentation explicitly instructs the AI agent that it supports variable substitution for environment variables using `{env.VAR_NAME}`. This constitutes a prompt injection vulnerability, as it could lead the agent to access and potentially expose sensitive environment variables. While the `orchestrator.py` script attempts to mitigate this by explicitly blocking `env.` variable access during its own substitution process, the instruction in the markdown itself is a high-risk signal for an AI agent that interprets these instructions. Additionally, the skill's core functionality involves executing arbitrary shell commands defined in workflows, which, despite `_validate_command` and `shell=False` protections, always carries inherent risk if the validation is bypassed or incomplete.

能力评估

✓ Purpose & Capability

Name and description (workflow orchestration) align with the included Python script and required binary (python3). It legitimately needs to execute local skill scripts (e.g., scanner, gitops, audit) to implement pipelines.

⚠ Instruction Scope

SKILL.md promises variable substitution including environment variables ({env.VAR_NAME}) and shows commands with JSON payloads, braces, and other shell characters. The implementation explicitly blocks {env.*} substitutions and rejects many shell metacharacters (including '{', '}', '$', '`', '|', ';', etc.) after substitution. This is an inconsistency: the docs suggest richer substitution and shell-like commands, while the runtime forbids them — templates and examples in SKILL.md likely contain characters that will be blocked. The orchestrator can run arbitrary local commands (expected for its purpose) but that capability means workflows must be trusted and reviewed.

✓ Install Mechanism

No install spec; single Python script included. Instruction-only / script bundle is low-install-risk. YAML support depends on PyYAML being present; otherwise only JSON workflows are supported.

⚠ Credentials

The skill declares no required environment variables (proportional). However, SKILL.md claims environment variable substitution is available while the code deliberately blocks access to {env.*} and also rejects '$' in commands. This mismatch is confusing and could lead operators to assume environment values will be used when they will not (or remain as literal placeholders).

✓ Persistence & Privilege

Does not request persistent/always-on presence and does not modify other skills' config. It runs with the invoking user's privileges when executing commands (normal for an orchestrator), so workflows will have the same local access rights as the user.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install arc-workflow-orchestrator
安装完成后，直接呼叫该 Skill 的名称或使用 /arc-workflow-orchestrator 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.1.0

- Initial release of version 1.1.0. - Updated core logic in scripts/orchestrator.py.

v1.0.1

arc-workflow-orchestrator 1.0.1 - Updated scripts/orchestrator.py (details not shown). - No changes to user-facing documentation or workflow usage.

v1.0.0

Initial release of workflow-orchestrator. - Automate multi-step skill operations with YAML/JSON-defined workflows - Supports conditional logic, error handling, audit logging, and variable substitution - Includes built-in workflow templates (secure-deploy, daily-scan, pre-install) - Offers dry run, file validation, and template listing commands - Designed for security-gated deployments, scheduled tasks, and agent automation

元数据

Slug arc-workflow-orchestrator

版本 1.1.0

许可证 —

累计安装 13

当前安装数 12

历史版本数 3

常见问题