workflow

Provides expert guidance for building durable workflows and long-running tasks using Vercel Workflow DevKit.

Install this skill

or

0/100

Security score

The workflow skill was audited on May 15, 2026 and we found 36 security issues across 4 threat categories. Review the findings below before installing.

Categories Tested

Security Issues

medium line 519

Template literal with variable interpolation in command context

SourceSKILL.md

519	const response = await fetch(`https://api.example.com/users/${userId}`);

medium line 528

Template literal with variable interpolation in command context

SourceSKILL.md

528	prompt: `Process: ${JSON.stringify(data)}`,

medium line 580

Template literal with variable interpolation in command context

SourceSKILL.md

580	return `Results for "${query}"`;

medium line 687

Template literal with variable interpolation in command context

SourceSKILL.md

687	token: `chat-${channelId}`,

medium line 719

Template literal with variable interpolation in command context

SourceSKILL.md

719	throw new FatalError(`Client error: ${res.status}`);

medium line 829

Template literal with variable interpolation in command context

SourceSKILL.md

829	await logInfo(`Starting task: ${task}`);

medium line 133

Webhook reference - potential data exfiltration

SourceSKILL.md

133	- "webhook callback"

medium line 149

Webhook reference - potential data exfiltration

SourceSKILL.md

149	- "webhook chain"

medium line 150

Webhook reference - potential data exfiltration

SourceSKILL.md

150	- "webhook pipeline"

medium line 151

Webhook reference - potential data exfiltration

SourceSKILL.md

151	- "webhook orchestration"

medium line 173

Webhook reference - potential data exfiltration

SourceSKILL.md

173	- "wait for webhook"

medium line 177

Webhook reference - potential data exfiltration

SourceSKILL.md

177	- "orchestrate webhooks"

medium line 261

Webhook reference - potential data exfiltration

SourceSKILL.md

261	- [chain, webhook]

medium line 268

Webhook reference - potential data exfiltration

SourceSKILL.md

268	- [sequential, webhook]

medium line 273

Webhook reference - potential data exfiltration

SourceSKILL.md

273	- [webhook, chain]

medium line 274

Webhook reference - potential data exfiltration

SourceSKILL.md

274	- [webhook, orchestrat]

medium line 275

Webhook reference - potential data exfiltration

SourceSKILL.md

275	- [webhook, pipeline]

medium line 276

Webhook reference - potential data exfiltration

SourceSKILL.md

276	- [webhook, sequential]

medium line 289

Webhook reference - potential data exfiltration

SourceSKILL.md

289	- [wait, webhook]

medium line 335

Webhook reference - potential data exfiltration

SourceSKILL.md

335	- "webhook"

low line 494

Webhook reference - potential data exfiltration

SourceSKILL.md

494	import { sleep, fetch, createHook, createWebhook, getWritable } from "workflow";

low line 499

Webhook reference - potential data exfiltration

SourceSKILL.md

499	import { start, getRun, resumeHook, resumeWebhook } from "workflow/api";

medium line 657

Webhook reference - potential data exfiltration

SourceSKILL.md

657	Hooks let workflows wait for external data. Use `createHook()` inside a workflow and `resumeHook()` from API routes. Deterministic tokens are for `createHook()` + `resumeHook()` (server-side) only. `c

medium line 927

Webhook reference - potential data exfiltration

SourceSKILL.md

927	Integration testing: Use `@workflow/vitest` for workflows using `sleep()`, hooks, webhooks, or retries:

medium line 968

Webhook reference - potential data exfiltration

SourceSKILL.md

968	Testing webhooks: Use `resumeWebhook()` with a `Request` object — no HTTP server needed:

low line 971

Webhook reference - potential data exfiltration

SourceSKILL.md

971	import { start, resumeWebhook } from "workflow/api";

low line 975

Webhook reference - potential data exfiltration

SourceSKILL.md

975	const hook = await waitForHook(run); // Discovers the random webhook token

low line 976

Webhook reference - potential data exfiltration

SourceSKILL.md

976	await resumeWebhook(hook.token, new Request("https://example.com/webhook", {

medium line 986

Webhook reference - potential data exfiltration

SourceSKILL.md

986	- `resumeHook(token, data)` / `resumeWebhook(token, request)` — resume paused workflows

medium line 418

Access to .env file

SourceSKILL.md

418	pattern: 'process\.env\.(OPENAI_API_KEY\|ANTHROPIC_API_KEY)\|from\s+[''"]@ai-sdk/(anthropic\|openai)[''""]'

low line 7

External URL reference

SourceSKILL.md

7	- "https://vercel.com/docs/workflow"

low line 8

External URL reference

SourceSKILL.md

8	- "https://useworkflow.dev"

low line 9

External URL reference

SourceSKILL.md

9	sitemap: "https://vercel.com/sitemap/docs.xml"

low line 478

External URL reference

SourceSKILL.md

478	- Website: https://useworkflow.dev

low line 519

External URL reference

SourceSKILL.md

519	const response = await fetch(`https://api.example.com/users/${userId}`);

low line 976

External URL reference

SourceSKILL.md

976	await resumeWebhook(hook.token, new Request("https://example.com/webhook", {

Scanned on May 15, 2026

View Security Dashboard

Installation guide →

GitHub Stars 4

Rate this skill

Categoryproduct

UpdatedJune 15, 2026

openclaw backend api growth-pm product-manager backend-developer devops-sre technical-pm vercel product development

420company/artemis