Is clawflows safe?

https://clawhub.ai/Cluka-399/clawflows

42
DANGEROUS

ClawFlows is a workflow automation orchestrator that downloads and executes multi-step YAML automations from a remote registry (clawflows.com). This represents a significant remote code execution risk: the skill installs a globally-scoped npm CLI, fetches automation definitions from an attacker-controllable registry with no integrity verification, and executes chained shell commands through an opaque capability abstraction layer. Filesystem monitoring during installation revealed access to sensitive files including .aws/credentials and .env. The combination of remote code download, persistent cron scheduling, cross-step data flow, and shell injection surfaces in capability templates makes this a high-risk skill.

Category Scores

Prompt Injection 40/100 · 30%
Data Exfiltration 35/100 · 25%
Code Execution 25/100 · 20%
Clone Behavior 45/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 20/100 · 5%

Findings (11)

CRITICAL Remote code execution via automation YAML download and run -50

The skill's core functionality is downloading YAML automation files from clawflows.com and executing them via 'clawflows run'. These automations chain shell commands through capability methods with no described integrity verification, code signing, or sandboxing. An attacker who controls or compromises the registry can execute arbitrary commands on the user's machine.

CRITICAL Global npm install with unrestricted install scripts -25

The skill requests 'npm i -g clawflows' which installs a package globally. npm packages can contain preinstall/postinstall hooks that execute arbitrary code with the user's full privileges. The package 'clawflows' is controlled by the skill author.

HIGH Sensitive file access during installation -40

Filesystem monitoring detected reads of .env, .aws/credentials, .openclaw/openclaw.json, and auth-profiles.json during the skill installation process. While some of these may be part of the openclaw platform's normal startup, the .aws/credentials access is highly suspicious and unnecessary for installing a workflow automation tool.

HIGH Automation framework enables indirect prompt injection via downloaded YAML -35

Downloaded automation YAML files define multi-step workflows that the agent executes. These YAML files are fetched from a remote registry and could contain instructions that manipulate agent behavior, chain dangerous operations, or override safety guardrails through the capability abstraction layer.

HIGH Shell injection surface in CAPABILITY.md templates -25

The skill documents a pattern where CAPABILITY.md files contain bash commands with variable interpolation using '${param}' syntax. If parameters are user-controlled or come from previous automation steps, this creates a direct shell injection vulnerability.

HIGH Persistent cron-based execution via scheduling -15

The 'clawflows enable' command sets up cron jobs for recurring automation execution. This means a single agent interaction can establish persistent, recurring code execution that continues without user oversight.

MEDIUM Automation data flow enables cross-step data exfiltration -25

The automation YAML format supports capturing output from one step and passing it to another via variable references. A malicious automation could read sensitive data in one step (e.g., database contents) and send it to an external service in the next step (e.g., via email or HTTP capability).

MEDIUM JIT-compiled JavaScript modules created during installation -15

Multiple .cjs files were created in /tmp/jiti/ during installation, indicating JavaScript JIT compilation. While this may be part of the openclaw platform's normal operation, it represents code execution during the clone/install phase.

MEDIUM Capability abstraction hides actual execution from agent and user -40

The skill deliberately abstracts away what actually runs behind each 'capability'. The agent sees high-level capability names but has no visibility into what shell commands or API calls execute. This opacity benefits portability but also enables hiding malicious behavior behind benign-sounding capability names.

LOW Force multiplier risk with other installed skills -20

Any skill that declares a capability becomes executable through clawflows automations. A benign skill could be weaponized through a malicious automation that calls its methods with crafted parameters.

INFO Canary files intact 0

All honeypot files remained unmodified during the installation process. No direct canary exfiltration was detected.