中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:2 days ago Rescan
5 /100
openclaw-workflow
OC-Flow: Deterministic workflow engine for OpenClaw via YAML playbooks — conditionals, loops, scripts, LLM/Agent/Skill calls, subagents, HTTP, messaging.
OpenClaw Workflow is a legitimate deterministic YAML workflow engine for OpenClaw with no malicious behavior. All capabilities are declared or are obvious features of a workflow automation tool. Minor documentation gap on filesystem:WRITE but does not constitute a security risk.
Skill Nameopenclaw-workflow
Duration71.5s
Enginepi
Safe to install
No action required. This is a genuine OpenClaw skill. Monitor for any suspicious workflow YAML files that may be shared/mounted into the engine.

Findings 5 items

Severity Finding Location
Low
Undeclared filesystem WRITE permission
The script node writes inline Python code to temp files before executing it. SKILL.md declares 'script' node but does not explicitly state filesystem WRITE capability. The filesystem:WRITE permission is not declared in allowed-tools mapping.
with tempfile.NamedTemporaryFile(mode='w', suffix='.py', delete=False) as f:
            f.write(ctx.resolve(inline))
            tmp_path = f.name
→ Add filesystem:WRITE to allowed-tools mapping in SKILL.md metadata if the skill's declared permissions are meant to be explicit.
 scripts/engine/nodes.py:43
Info
Arbitrary shell command execution in script node
The script node uses subprocess.run(shell=True) with user-supplied commands. This is expected for a workflow automation tool and is implied by the 'script' node documentation in SKILL.md.
result = subprocess.run(command, shell=True, capture_output=True, text=True, timeout=timeout, cwd=cwd, env={**os.environ, **{k: str(v) for k, v in (step.get('env') or {}).items()}})
→ No action needed — this is the declared functionality of the script node.
 scripts/engine/nodes.py:56
Info
CLI-based Gateway RPC
The GatewayBridge uses subprocess to call 'openclaw gateway call' CLI commands. This is the intended integration mechanism with OpenClaw, not a covert channel.
subprocess.run(['openclaw', 'gateway', 'call', method, '--json', ...])
→ No action needed — this is the documented OpenClaw integration mechanism.
 scripts/engine/bridge.py:205
Info
Sandbox restricts dangerous builtins
The code node sandbox properly excludes dangerous builtins like os.system, subprocess, eval, exec, and __import__. Allowed modules are whitelisted. This is well-designed security for a code execution feature.
SAFE_BUILTINS = {...} (no os.system, subprocess, eval, exec, __import__)
→ No action needed — sandbox is well-designed.
 scripts/engine/sandbox.py:15
Info
Requirements pinned with lower bounds
requirements.txt specifies 'pyyaml>=6.0' and 'streamlit>=1.30.0'. These are acceptable with lower-bound pinning for a skill package.
pyyaml>=6.0
streamlit>=1.30.0
→ Consider exact pinning for production, but lower-bound is acceptable for skill packages.
 scripts/requirements.txt:1
ResourceDeclaredInferredStatusEvidence
Filesystem NONE WRITE ✓ Aligned scripts/engine/nodes.py:run_script (tempfile.NamedTemporaryFile)
Shell NONE WRITE ✓ Aligned scripts/engine/nodes.py:run_script — subprocess.run with user command, implied b…
Network NONE READ ✓ Aligned scripts/engine/nodes.py:run_http — urllib HTTP requests; SKILL.md declares 'http…
Environment NONE READ ✓ Aligned scripts/engine/context.py:_resolve_path — env.VAR access; SKILL.md documents {{e…
Skill Invoke NONE WRITE ✓ Aligned scripts/engine/nodes.py:run_skill — Gateway bridge calls OpenClaw skills; SKILL.…
Clipboard NONE NONE N/A
Browser NONE NONE N/A
Database NONE NONE N/A
6 findings
🔗
Medium External URL 外部 URL
https://api.example.com/data
SKILL.md:91
🔗
Medium External URL 外部 URL
https://api.example.com/v1/report
SKILL.md:528
🔗
Medium External URL 外部 URL
https://httpbin.org/get
references/examples/comprehensive_test.yaml:183
🔗
Medium External URL 外部 URL
https://httpbin.org/post
references/examples/comprehensive_test.yaml:202
🔗
Medium External URL 外部 URL
https://official-joke-api.appspot.com/random_joke
references/examples/http_pipeline.yaml:17
🔗
Medium External URL 外部 URL
https://httpbin.org/ip
references/examples/http_pipeline.yaml:42

File Tree

21 files · 223.6 KB · 6276 lines
Python 9f · 4505L Markdown 4f · 923L YAML 7f · 846L Text 1f · 2L
├─ 📁 references
│ ├─ 📁 examples
│ │ ├─ 📋 basic_test.yaml YAML 102L · 2.4 KB
│ │ ├─ 📋 comprehensive_test.yaml YAML 410L · 13.9 KB
│ │ ├─ 📋 deep_integration.yaml YAML 31L · 1.1 KB
│ │ ├─ 📋 error_handling.yaml YAML 56L · 1.2 KB
│ │ ├─ 📋 http_pipeline.yaml YAML 54L · 1.4 KB
│ │ ├─ 📋 openclaw_integration.yaml YAML 54L · 1.5 KB
│ │ └─ 📋 subagent_test.yaml YAML 139L · 5.1 KB
│ └─ 📝 readme.md Markdown 111L · 4.1 KB
├─ 📁 scripts
│ ├─ 📁 engine
│ │ ├─ 🐍 __init__.py Python 5L · 107 B
│ │ ├─ 🐍 bridge.py Python 1133L · 44.8 KB
│ │ ├─ 🐍 context.py Python 233L · 8.4 KB
│ │ ├─ 🐍 engine.py Python 859L · 32.8 KB
│ │ ├─ 🐍 nodes.py Python 1269L · 48.6 KB
│ │ ├─ 🐍 sandbox.py Python 138L · 4.4 KB
│ │ └─ 🐍 schema.py Python 176L · 6.0 KB
│ ├─ 🐍 dashboard.py Python 495L · 17.9 KB
│ ├─ 🐍 openclaw_workflow.py Python 197L · 6.1 KB
│ └─ 📄 requirements.txt Text 2L · 30 B
├─ 📝 README_ZH.md Markdown 48L · 1.2 KB
├─ 📝 README.md Markdown 48L · 1.3 KB
└─ 📝 SKILL.md Markdown 716L · 21.4 KB

Dependencies 2 items

PackageVersionSourceKnown VulnsNotes
pyyaml >=6.0 pip No Lower-bound pinning, acceptable for skill package
streamlit >=1.30.0 pip No Lower-bound pinning, dashboard only

Security Positives

✓ No base64-encoded payloads piped into bash
✓ No direct IP network requests to external servers
✓ No eval(), atob(), or dynamic code execution on untrusted input
✓ No access to ~/.ssh, ~/.aws, .env, or other sensitive credential paths
✓ No curl|bash or wget|sh remote script execution
✓ No credential harvesting or data exfiltration
✓ No hidden functionality — all features are present in SKILL.md (script node implies shell access)
✓ Sandbox properly excludes dangerous builtins (os.system, subprocess, eval, exec, __import__)
✓ Module imports in sandbox are whitelisted
✓ Session cleanup in finally block prevents resource leaks
✓ Clean architecture: Gateway RPC for AI calls, local subprocess for CLI tools
✓ Requirements use version pinning with lower bounds