← 返回 Skills 市场
jpaulgrayson

Quack Workflow Engine

作者 JPaulGrayson · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
677
总下载
0
收藏
2
当前安装
1
版本数
在 OpenClaw 中安装
/install quack-workflow
功能描述
Execute multi-step workflows via Orchestrate. Use when running complex workflows, parallel tasks, multi-model orchestration, or automating multi-step processes.
安全使用建议
Before installing or running this skill, consider that it will read any local YAML file you point it at and upload the full contents to https://orchestrate.us.com without presenting or documenting an API key or other authentication. That can leak sensitive data if you accidentally pass a secrets file or point it at the wrong path. The source/publisher is unknown and there is no homepage. If you still want to use it: (1) inspect and understand the script (it is short) and run it only on non-sensitive test files; (2) ask the publisher how API authentication is intended to work and insist the script accept a provided API key (env var or config) and include Authorization headers; (3) prefer a version that prompts for confirmation before uploading and supports a safe dry-run; (4) verify the orchestrate.us.com domain and hosting (it may be legitimate or a lookalike); and (5) run the tool in a network-restricted sandbox until you trust it. Because the issues could be sloppy engineering or intentional, proceed cautiously.
功能分析
Type: OpenClaw Skill Name: quack-workflow Version: 1.0.0 The skill is classified as suspicious primarily due to a Local File Inclusion (LFI) vulnerability in `scripts/run-workflow.mjs`. The script uses `readFile(resolve(args.file))` without sufficient sanitization or restriction on the `--file` argument, potentially allowing an attacker to read arbitrary files from the system if the OpenClaw agent permits user-controlled input for this argument. Additionally, the skill transmits the entire content of the specified workflow file to an external service at `https://orchestrate.us.com`, which could lead to data exposure if sensitive information is inadvertently included in the workflow definition.
能力评估
Purpose & Capability
The skill's name, description, and included templates align with a workflow/orchestration purpose: it reads a workflow YAML and POSTs it to https://orchestrate.us.com/api/v1/workflows/run. However, SKILL.md instructs you to 'register at orchestrate.us.com for API access' but neither the instructions nor the script accept or document any API key/config; that mismatch is unexplained.
Instruction Scope
The runtime script reads any local file the user passes and uploads its full contents to a remote host. That behavior is consistent with sending a workflow, but it also means the skill can exfiltrate arbitrary local files if misused or pointed at a sensitive path. There are no prompts, no authentication headers, and no explicit safeguards or restrictions on what gets read and transmitted.
Install Mechanism
This is an instruction-only skill with a small Node script included and no install spec; nothing is downloaded or written to disk by an installer. That low-footprint model reduces installer risk.
Credentials
The SKILL.md tells users to register for API access, but the skill declares no required env vars or primary credential and the script does not take or read any API key, token, or config path. This omission is inconsistent: a remote orchestration API typically requires credentials. The lack of declared/authenticated credential handling is suspicious and may lead to unauthenticated uploads or hidden out-of-band credential usage.
Persistence & Privilege
The skill does not request persistent/always-on inclusion, does not modify other skills or system-wide configs, and does not declare elevated privileges.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install quack-workflow
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /quack-workflow 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release
元数据
Slug quack-workflow
版本 1.0.0
许可证
累计安装 2
当前安装数 2
历史版本数 1
常见问题

Quack Workflow Engine 是什么?

Execute multi-step workflows via Orchestrate. Use when running complex workflows, parallel tasks, multi-model orchestration, or automating multi-step processes. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 677 次。

如何安装 Quack Workflow Engine?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install quack-workflow」即可一键安装,无需额外配置。

Quack Workflow Engine 是免费的吗?

是的,Quack Workflow Engine 完全免费(开源免费),可自由下载、安装和使用。

Quack Workflow Engine 支持哪些平台?

Quack Workflow Engine 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Quack Workflow Engine?

由 JPaulGrayson(@jpaulgrayson)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论