Security Audit

workflow-automation

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

workflow-automation received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Missing required field: name, Arbitrary File Read/Write via Workflow Task Configuration, Code Injection in Generated Airflow DAG via Unsanitized User Input.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

93%

Dependency Graph

100%

LLM Behavioral Safety

55%

Behavioral Risk Signals

Filesystem Write

2 findings

Shell Execution

1 finding

Dynamic Code

1 finding

Security Findings3

Severity	Finding	Layer	Location
CRITICAL	Code Injection in Generated Airflow DAG via Unsanitized User Input The `generate_airflow_dag` method constructs Python code as a string, which is intended to be written to a file and executed. User-controlled fields such as `workflow.description`, `workflow.workflow_id`, `task.task_id`, `task.name`, and `task.task_type` are directly interpolated into this string without proper escaping. An attacker can inject malicious Python code into these fields (e.g., by using triple quotes to break out of string literals), leading to arbitrary code execution when the generated DAG file is executed by Airflow or any other Python interpreter. Sanitize all user-provided strings before embedding them into generated code. For string literals, use proper escaping (e.g., `repr()` or a custom function that handles quotes and special characters). For identifiers, ensure they conform to valid Python identifier rules and do not contain arbitrary code. Consider using a templating engine that provides automatic escaping for string literals.	LLM	SKILL.md:360
HIGH	Arbitrary File Read/Write via Workflow Task Configuration The `_extract_csv`, `_extract_excel`, and `_load_csv` methods directly use file paths provided in the `config` dictionary of a `WorkflowTask`. Since `WorkflowTask` objects are user-defined and their `config` can be controlled by the skill user, a malicious user can specify arbitrary file paths. This allows for reading sensitive files from the filesystem (data exfiltration) or writing to arbitrary locations (data corruption, denial of service, or further exploitation). Implement strict validation and sanitization of file paths. Restrict file operations to a predefined, secure directory (e.g., a sandbox or temporary directory). Do not allow arbitrary paths. Consider using a virtual filesystem or explicit whitelisting of allowed paths.	LLM	SKILL.md:265
MEDIUM	Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter.	Static	skills/datadrivenconstruction/workflow-automation/SKILL.md:1

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/467c361219a5e40d.svg)](https://skillshield.io/report/467c361219a5e40d)