首页龙虾技能列表 › Workflow Orchestrator — 技能工具

🔗 Workflow Orchestrator — 技能工具

v1.1.0

[自动翻译] Chain skills into automated pipelines with conditional logic, error handling, and audit logging. Define workflows in YAML or JSON, then execute them h...

1· 1,500·11 当前·12 累计
by @trypto1019 (ArcSelf)·MIT-0
下载技能包
License
MIT-0
最后更新
2026/4/9
安全扫描
VirusTotal
可疑
查看报告
OpenClaw
可疑
medium confidence
The orchestrator's code mostly matches its stated purpose, but there are clear mismatches between the SKILL.md and the runtime behavior (especially around environment-variable substitution and command validation) that could break legitimate workflows or hide risky behavior — review before use.
评估建议
This skill is plausible for automating local pipelines, but there are important inconsistencies to address before trusting it: (1) The SKILL.md says you can use {env.VAR_NAME}, but the code blocks env substitution — so environment values will not be injected as documented. (2) The script blocks many shell metacharacters (including '{','}','$', '|', ';', etc.), yet examples and templates include JSON blobs and other characters that will likely cause the orchestrator to 'BLOCK' those steps. (3) Th...
详细分析 ▾
用途与能力
Name and description (workflow orchestration) align with the included Python script and required binary (python3). It legitimately needs to execute local skill scripts (e.g., scanner, gitops, audit) to implement pipelines.
指令范围
SKILL.md promises variable substitution including environment variables ({env.VAR_NAME}) and shows commands with JSON payloads, braces, and other shell characters. The implementation explicitly blocks {env.*} substitutions and rejects many shell metacharacters (including '{', '}', '$', '`', '|', ';', etc.) after substitution. This is an inconsistency: the docs suggest richer substitution and shell-like commands, while the runtime forbids them — templates and examples in SKILL.md likely contain characters that will be blocked. The orchestrator can run arbitrary local commands (expected for its purpose) but that capability means workflows must be trusted and reviewed.
安装机制
No install spec; single Python script included. Instruction-only / script bundle is low-install-risk. YAML support depends on PyYAML being present; otherwise only JSON workflows are supported.
凭证需求
The skill declares no required environment variables (proportional). However, SKILL.md claims environment variable substitution is available while the code deliberately blocks access to {env.*} and also rejects '$' in commands. This mismatch is confusing and could lead operators to assume environment values will be used when they will not (or remain as literal placeholders).
持久化与权限
Does not request persistent/always-on presence and does not modify other skills' config. It runs with the invoking user's privileges when executing commands (normal for an orchestrator), so workflows will have the same local access rights as the user.
安装前注意事项
  1. The SKILL.md says you can use {env.VAR_NAME}, but the code blocks env substitution — so environment values will not be injected as documented. (
  2. The script blocks many shell metacharacters (including '{','}','$', '|', ';', etc.), yet examples and templates include JSON blobs and other characters that will likely cause the orchestrator to 'BLOCK' those steps. (
  3. The orchestrator executes arbitrary local commands and other skill scripts under your user account — review any workflows and the target scripts (~/.openclaw/skills/...) for sensitive file reads or network calls before running. Recommended precautions: run with --dry-run first, inspect and test workflows and templates locally, verify PyYAML behavior if you use YAML workflows, and only point workflows at trusted skill scripts. If you need environment-variable substitution or JSON payloads in commands, either modify the orchestrator to safely support them or avoid using this skill until those mismatches are fixed.
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

🖥️ OSmacOS · Linux

版本

latestv1.1.02026/2/16

- Initial release of version 1.1.0. - Updated core logic in scripts/orchestrator.py.

● 可疑

安装命令 点击复制

官方npx clawhub@latest install arc-workflow-orchestrator
镜像加速npx clawhub@latest install arc-workflow-orchestrator --registry https://cn.clawhub-mirror.com

技能文档

Chain skills into automated pipelines. Define a sequence of steps, and the orchestrator runs them in order with conditional logic, error handling, and optional audit logging.

Why This Exists

Agents run multiple skills but manually. Scan a skill, diff against the previous version, deploy if safe, log the result. That's 4 steps, 4 commands, and one missed step means a gap in your process. Workflows automate the sequence and ensure nothing gets skipped.

Commands

Run a workflow from a YAML file

python3 {baseDir}/scripts/orchestrator.py run --workflow workflow.yaml

Run a workflow from JSON

python3 {baseDir}/scripts/orchestrator.py run --workflow workflow.json

Dry run (show steps without executing)

python3 {baseDir}/scripts/orchestrator.py run --workflow workflow.yaml --dry-run

List available workflow templates

python3 {baseDir}/scripts/orchestrator.py templates

Validate a workflow file

python3 {baseDir}/scripts/orchestrator.py validate --workflow workflow.yaml

Workflow Format (YAML)

name: secure-deploy
description: Scan, diff, deploy, and audit a skill update
steps:
  - name: scan
    command: python3 ~/.openclaw/skills/skill-scanner/scripts/scanner.py scan --path {skill_path} --json
    on_fail: abort
    save_output: scan_result
  - name: diff
    command: python3 ~/.openclaw/skills/skill-differ/scripts/differ.py diff {skill_path} {previous_path}
    on_fail: warn
  - name: deploy
    command: python3 ~/.openclaw/skills/skill-gitops/scripts/gitops.py deploy {skill_path}
    condition: scan_result.verdict != "CRITICAL"
    on_fail: rollback
  - name: audit
    command: python3 ~/.openclaw/skills/compliance-audit/scripts/audit.py log --action "skill_deployed" --details '{"skill": "{skill_name}", "scan": "{scan_result.verdict}"}'
    on_fail: warn

Step Options

  • name — Human-readable step name
  • command — Shell command to execute (supports variable substitution)
  • on_fail — What to do if the step fails: abort (stop workflow), warn (log and continue), rollback (undo previous steps), retry (retry up to 3 times)
  • condition — Optional condition to check before running (references saved outputs)
  • save_output — Save stdout to a named variable for use in later steps
  • timeout — Max seconds to wait (default: 60)

Variable Substitution

Use {variable_name} in commands to reference:

  • Workflow-level variables defined in the vars section
  • Saved outputs from previous steps
  • Environment variables with {env.VAR_NAME}

Built-in Templates

The orchestrator ships with these workflow templates:

  • secure-deploy — Scan → Diff → Deploy → Audit
  • daily-scan — Scan all installed skills, report findings
  • pre-install — Scan → Typosquat check → Install → Audit

Example: Secure Deploy Pipeline

name: secure-deploy
vars:
  skill_path: ~/.openclaw/skills/my-skill
  skill_name: my-skill
steps:
  - name: security-scan
    command: python3 ~/.openclaw/skills/skill-scanner/scripts/scanner.py scan --path {skill_path} --json
    save_output: scan
    on_fail: abort
  - name: deploy
    command: echo "Deploying {skill_name}..."
    condition: "CRITICAL not in scan"
    on_fail: abort
  - name: log
    command: python3 ~/.openclaw/skills/compliance-audit/scripts/audit.py log --action workflow_complete --details '{"workflow": "secure-deploy", "skill": "{skill_name}"}'

Tips

  • Start with --dry-run to verify your workflow before executing
  • Use on_fail: abort for security-critical steps
  • Chain with the compliance audit skill for full traceability
  • Keep workflows in version control for reproducibility
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制

了解定制服务