Is cluka-399/clawflows safe?

https://github.com/openclaw/skills/tree/main/skills/cluka-399/clawflows

67
CAUTION

ClawFlows is a superficially clean skill whose SKILL.md contains no prompt injection or direct credential theft. However, it is architecturally an automation execution broker: it automatically installs an unaudited global npm binary and then enables the agent to download and execute arbitrary code from the clawflows.com registry with no sandboxing, integrity verification, or code review. The _meta.json also contains anomalous version metadata (1.0.1 in history, 1.0.0 as latest), suggesting possible version manipulation. The skill is not malicious by itself but introduces a high-risk supply-chain execution surface that can be exploited after installation via the registry.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 62/100 · 25%
Code Execution 25/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 88/100 · 10%
Behavioral Reasoning 35/100 · 5%

Findings (7)

HIGH Automated global npm install of unaudited package -35

The SKILL.md frontmatter instructs the Clawbot platform to automatically install the 'clawflows' npm package globally (kind: node, package: clawflows). This bypasses manual review of the package's install scripts, postinstall hooks, and binary behavior. Global npm packages run with full user permissions and can spawn arbitrary processes.

HIGH Dynamic automation download-and-execute from unverified registry -40

The clawflows CLI workflow (clawflows install then clawflows run ) downloads automation YAML files from clawflows.com and executes them within the agent's context. There is no code signing, sandboxing, or integrity verification described. Any automation — including ones added after the skill is installed — can be executed by the agent, creating an unbounded supply-chain execution surface.

MEDIUM Automation registry enables latent credential exfiltration -38

The clawflows.com automation registry is outside the audited skill. Any automation the agent installs and runs has access to the agent's full filesystem and environment, including .env files, SSH keys, AWS credentials, and tokens. The skill's CAPABILITY.md pattern ('How to fulfill: ./scripts/my-script.sh') shows automations execute shell commands directly.

MEDIUM Version metadata inconsistency — possible downgrade or tampering -15

_meta.json lists 'latest' as version 1.0.0 (timestamp 1769868716399) while 'history' contains version 1.0.1 (timestamp 1769804804215). Semantically, 1.0.1 > 1.0.0 and should be the latest. Having a higher version number in 'history' while the lower version is marked 'latest' is anomalous and may indicate intentional version pinning to an older release, rollback to remove functionality, or metadata manipulation.

MEDIUM Trust escalation gateway — safe skill enables unsafe execution pipeline -50

This skill is architecturally a code execution broker. The SKILL.md content itself is benign, but installing it gives the agent the ability to download and execute arbitrary automations from clawflows.com. A threat actor who can influence what automations the agent installs (e.g., via a user request, a phishing prompt, or a compromised registry) gains arbitrary code execution in the agent's environment.

LOW Dangerous skill combinations — automation platform plus data-access skills -15

When combined with database, email, calendar, or social-search skills, a malicious clawflows automation can silently exfiltrate user data. The 'clawflows enable' scheduling feature can persist malicious activity via cron without additional user interaction.

INFO Clean SKILL.md — no injection artifacts detected -10

The skill document contains no hidden unicode characters, HTML comments used to smuggle instructions, encoded payloads, persona-switching directives, or attempts to override system instructions. The skill is transparently written documentation.