Scan Report
5 /100
content-workflow-engine
Automate end-to-end content workflows from ideation to publication and distribution
This is a legitimate content workflow automation skill with no malicious behavior detected. All functionality is accurately documented, scripts use standard Python libraries, and no hidden exfiltration or credential harvesting was found.
Safe to install
This skill is safe to use. Follow standard security practices: never commit api_config.json with real credentials, use environment variables for API keys in production, and rotate keys regularly.
Findings 3 items
| Severity | Finding | Location |
|---|---|---|
| Low | Configuration template contains credential placeholders | assets/config/api_config.example.json:1 |
| Info | subprocess usage for script execution | scripts/workflow_templates/blog_automated.py:195 |
| Info | File system operations scoped to specific directories | scripts/ |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | WRITE | ✓ Aligned | Scripts write to workflows/, reports/, brainstorm_output/ directories - scoped a… |
| Network | READ | READ | ✓ Aligned | Makes API calls to WordPress, social media platforms as declared in SKILL.md |
| Shell | WRITE | WRITE | ✓ Aligned | Uses subprocess for Python script execution, documented and expected for CLI too… |
| Environment | NONE | NONE | — | No environment variable access observed in code |
6 findings
Medium External URL 外部 URL
https://yourblog.com/wp-json SKILL.md:234 Medium External URL 外部 URL
https://yourdomain.com/health assets/config/api_config.example.json:117 Info Email 邮箱地址
[email protected] CLAWHUB_LISTING.md:282 Info Email 邮箱地址
[email protected] CLAWHUB_LISTING.md:347 Info Email 邮箱地址
[email protected] assets/config/api_config.example.json:39 Info Email 邮箱地址
[email protected] assets/config/api_config.example.json:115 File Tree
15 files · 103.1 KB · 3374 lines Markdown 6f · 1855L
Python 4f · 1135L
JSON 4f · 264L
JavaScript 1f · 120L
├─
▾
assets
│ ├─
▾
config
│ │ └─
api_config.example.json
JSON
│ └─
▾
templates
│ ├─
▾
social
│ │ └─
twitter_template.json
JSON
│ └─
blog_template.md
Markdown
├─
▾
references
│ ├─
scheduled_blog.md
Markdown
│ └─
social_multi.md
Markdown
├─
▾
scripts
│ ├─
▾
workflow_templates
│ │ └─
blog_automated.py
Python
│ ├─
brainstorm.py
Python
│ ├─
create_workflow.py
Python
│ └─
run_workflow.py
Python
├─
▾
test_workflows
│ └─
test-blog-pipeline.json
JSON
├─
CLAWHUB_LISTING.md
Markdown
├─
index.js
JavaScript
├─
package.json
JSON
├─
README.md
Markdown
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
No external Python dependencies | N/A | stdlib only | No | Uses only Python standard library (json, argparse, subprocess, pathlib, datetime) |
Security Positives
✓ No base64 encoding/decoding or obfuscation detected
✓ No reverse shell or C2 communication patterns
✓ No credential harvesting or environment variable exfiltration
✓ Documentation accurately describes all capabilities
✓ API credentials documented as requiring environment variables in production
✓ File operations are scoped to specific application directories
✓ Uses standard Python libraries (json, argparse, subprocess) without suspicious patterns
✓ No hidden HTML comments or embedded payloads
✓ Test workflow file validates the implementation is legitimate
✓ Dependencies properly declared (no untracked packages)