← 返回 Skills 市场
workflow-migrate
作者
kevdogg102396-afk
· GitHub ↗
· v1.0.0
511
总下载
1
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install workflow-migrate
功能描述
Migrate N8N/Zapier/Make workflows to production-grade Python or Node.js scripts. Given a workflow description or paste, rewrites automation logic with retry,...
安全使用建议
This skill appears to do what it says (generate production-style scripts) but has some inconsistencies you should address before installing: 1) The SKILL.md templates expect API keys and a .env file, but the skill metadata doesn't declare any required credentials — confirm with the author which secrets you'll need and how they should be provided. 2) The allowed-tools include filesystem and shell access; avoid granting the agent access to workspace files that contain unrelated secrets (home dir, CI/CD credentials, SSH keys, etc.). 3) Inspect any generated scripts for hardcoded endpoints, excessive logging of sensitive payloads, and proper error handling before running them in production. 4) Run generated code in a sandbox or isolated environment, and rotate any secrets used for initial testing. If you need higher assurance, ask the publisher for an explicit list of required env vars and a minimal reproduction that shows exactly which files will be read/written.
功能分析
Type: OpenClaw Skill
Name: workflow-migrate
Version: 1.0.0
The skill is classified as suspicious due to significant prompt injection and code generation vulnerabilities, amplified by broad permissions. The agent is instructed to generate executable Python/Node.js scripts based on user input, which presents a code injection risk. Critically, the agent is also instructed to generate a new `SKILL.md` file (Step 6), which is an agent instruction file, creating a direct prompt injection surface where malicious user input could lead to the agent executing arbitrary commands or revealing sensitive information. The `allowed-tools` include `Bash`, `Read`, `Write`, and `Edit`, providing extensive capabilities that could be abused if these vulnerabilities are exploited. There is no clear evidence of intentional malicious behavior by the skill owner, but the potential for exploitation is high.
能力评估
Purpose & Capability
The skill's name and description match the SKILL.md: it parses workflow descriptions and outputs runnable Python/Node scripts. However, the templates it generates assume use of environment variables (API_KEY, WEBHOOK_URL, etc.), .env files, and filesystem logging — none of which are declared in the skill metadata. That mismatch is noteworthy but may be an omission rather than malicious intent.
Instruction Scope
SKILL.md instructs the agent to parse user-provided workflow JSON/pastes, ask clarifying questions, and then generate, write, and edit full scripts (including config loading and log file creation). The declared allowed-tools (Read, Write, Edit, Bash, Glob, Grep, WebSearch) give the agent filesystem and shell capability; the instructions don't explicitly tell the agent to read arbitrary host files, but generated templates call load_dotenv() / require('dotenv') which will read a .env file if present. That combination gives the agent potential to read environment files in the workspace—this is within scope for code-generation but increases the risk of accidental exposure of unrelated secrets if the agent is granted broad file access.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. No downloads, package installs, or external installers are specified in the metadata.
Credentials
The skill metadata declares no required environment variables or credentials, yet the code templates expect secrets via environment variables (.env) such as API_KEY and WEBHOOK_URL. Requiring user API keys to reach third‑party APIs is reasonable, but the omission in metadata is a mismatch: the skill does not explicitly request those secrets up front, and the allowed-tools set could let the agent access .env or other local credential files. This creates an unclear credential surface and potential for accidental exposure or misuse of unrelated secrets.
Persistence & Privilege
always is false and the skill is user-invocable (normal). The skill writes generated scripts and log files per its instructions, which is expected behavior for a code-generation/migration tool; there is no indication it tries to modify other skills or system-wide agent settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install workflow-migrate - 安装完成后,直接呼叫该 Skill 的名称或使用
/workflow-migrate触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
workflow-migrate 1.0.0
- Initial release of workflow-migrate.
- Converts N8N, Zapier, or Make workflows into production-ready Python or Node.js scripts.
- Adds retry, exponential backoff, logging, and self-healing (alerts, idempotency, dead-letter queue, heartbeats) to migrated scripts.
- Guides users interactively when workflow input is vague.
- Generated scripts are runnable, testable, and billable as deliverables.
元数据
常见问题
workflow-migrate 是什么?
Migrate N8N/Zapier/Make workflows to production-grade Python or Node.js scripts. Given a workflow description or paste, rewrites automation logic with retry,... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 511 次。
如何安装 workflow-migrate?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install workflow-migrate」即可一键安装,无需额外配置。
workflow-migrate 是免费的吗?
是的,workflow-migrate 完全免费(开源免费),可自由下载、安装和使用。
workflow-migrate 支持哪些平台?
workflow-migrate 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 workflow-migrate?
由 kevdogg102396-afk(@kevdogg102396-afk)开发并维护,当前版本 v1.0.0。
推荐 Skills