workflow-create
Facilitates the creation and management of reusable skill workflows, enabling users to streamline processes and enhance productivity.
Install this skill
Security score
The workflow-create skill was audited on Jun 15, 2026 and we found 14 security issues across 3 threat categories, including 9 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 121 | 1. If `skill-creator` is already installed (host agent exposes it, or a folder exists under `${SKILLS_ROOT}/skill-creator`), use it. The installed copy is whatever the user last pulled, so upstream up |
Template literal with variable interpolation in command context
| 122 | 2. If it is not present, **retrieve it** from the canonical source (`npx skills add anthropics/skills --skill skill-creator`, or fetch the files into `${SKILLS_ROOT}/skill-creator`), then follow it. T |
Template literal with variable interpolation in command context
| 170 | - **Claude Code** (the only exception) → `${USER_ROOT}/.claude/skills` (global) or `<project-root>/.claude/skills` (project-local), its native home. |
Template literal with variable interpolation in command context
| 171 | - **Every other / unknown harness** → `${USER_ROOT}/.agents/skills` (global) or `<project-root>/.agents/skills` (project-local), the standard cross-client home. |
Template literal with variable interpolation in command context
| 173 | Set `${SKILLS_ROOT}` to the resolved home for the detected harness and chosen scope. This is where the real folders are written — no symlink needed for the host harness to find them. Cross-linking to |
Template literal with variable interpolation in command context
| 184 | Resolve install locations from the user's home directory or the named project root, not hardcoded machine-specific paths. If the chosen `${SKILLS_ROOT}` does not exist, create it for `create` or `shel |
Template literal with variable interpolation in command context
| 194 | - **Host is Claude Code** (family written to `.claude/skills`): ask whether they also want these skills available to non–Claude Code agents. Something like: *"Want me to also link these into `~/.agent |
Template literal with variable interpolation in command context
| 195 | - **Host is another agent** (family written to `.agents/skills`): ask whether they also want these in Claude Code. Something like: *"Want me to also link these into `~/.claude/skills` so Claude Code p |
Template literal with variable interpolation in command context
| 203 | For public or distributable workflows, write paths with placeholders such as `${USER_ROOT}`, `${SKILLS_ROOT}`, and `${PARENT_SKILL_DIR}`. Avoid absolute paths that include the creator's machine-specif |
Template literal with variable interpolation in command context
| 295 | ```text |
Access to hidden dotfiles in home directory
| 168 | 2. **Confirm from the environment (optional sanity check).** Claude Code exports `CLAUDECODE=1` (plus `CLAUDE_CODE_*` vars) into the shell. If you want to corroborate, a quick `env | grep -i claudecod |
Access to hidden dotfiles in home directory
| 194 | - **Host is Claude Code** (family written to `.claude/skills`): ask whether they also want these skills available to non–Claude Code agents. Something like: *"Want me to also link these into `~/.agent |
Access to hidden dotfiles in home directory
| 195 | - **Host is another agent** (family written to `.agents/skills`): ask whether they also want these in Claude Code. Something like: *"Want me to also link these into `~/.claude/skills` so Claude Code p |
External URL reference
| 105 | Every generated name must conform to the Agent Skills open standard (https://agentskills.io/specification): |