Is automation-workflows safe?

https://clawhub.ai/JK-0001/automation-workflows

85
SAFE

This skill is a benign, passive knowledge document that provides solopreneurs with guidance on building automation workflows using no-code tools. It contains no executable code, no prompt injection attempts, no data exfiltration vectors, and no agent directives. The only noteworthy observations are platform-level file reads during installation (standard OpenClaw runtime behavior) and overly broad trigger keywords.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 72/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (7)

LOW Broad trigger keyword activation -5

The skill's trigger keywords include generic phrases like 'save time', 'reduce manual work', and 'workflow' which could cause unintended skill activation during unrelated conversations. This is a usability concern rather than a security vulnerability.

LOW Instructional tone without explicit agent boundaries -5

The skill uses directive language ('spend 1 hour on this', 'start here', 'test with real data') which is appropriate for user guidance but slightly blurs the line between advising the user and instructing the agent. No actual prompt injection is present.

INFO Platform runtime reads sensitive files during bootstrap -8

The OpenClaw runtime (not the skill itself) reads .env, .aws/credentials, and auth-profiles.json during the install process. This is standard platform behavior but worth noting — the skill did not cause these reads.

INFO Lock file created during install 0

A lock file was created at /tmp/openclaw-1000/gateway.e9191928.lock during installation, which is standard OpenClaw gateway behavior for preventing concurrent operations.

INFO JIT compilation cache created in /tmp 0

Multiple .cjs files were created in /tmp/jiti/ during installation. These are jiti (Just-In-Time Transpilation) cache files from the OpenClaw runtime, not skill-initiated behavior.

INFO Skill references third-party services without directing agent access -5

The skill mentions Zapier, Make, n8n, Stripe, HubSpot, Airtable, and other services in workflow examples. These are purely educational references — the skill never instructs the agent to authenticate with or connect to these services.

LOW AWS credentials file accessed during platform bootstrap -20

The file /home/oc-exec/.aws/credentials was opened during the install process. While attributable to the OpenClaw platform rather than the skill, this access to cloud credentials during any skill installation is a platform-level concern.