跳到主要内容

SkillFlaw release notes

This page summarizes significant changes to SkillFlaw in each release. For all changes, see the Changelog.

Due to strict SemVer requirements, SkillFlaw Desktop can have different patch versions than the core SkillFlaw OSS Python package, but the major and minor versions are aligned.

Prepare to upgrade

注意

Whenever possible, the SkillFlaw team recommends installing new SkillFlaw versions in a new virtual environment or VM before upgrading your primary installation. This allows you to import flows from your existing installation and test them in the new version without disrupting your existing installation. In the event of breaking changes or bugs, your existing installation is preserved in a stable state. If you are upgrading Windows Desktop to 1.6.0, don't auto-upgrade with the in-app Update button. Instead, follow the instructions in Known issue: Don't auto-upgrade Windows Desktop.

To avoid the impact of potential breaking changes and test new versions, the SkillFlaw team recommends the following upgrade process:

  1. Recommended: Export your projects to create backups of your flows:


    _10
    curl -X GET \
    _10
    "$SKILLFLAW_URL/api/v1/projects/download/$PROJECT_ID" \
    _10
    -H "accept: application/json" \
    _10
    -H "x-api-key: $SKILLFLAW_API_KEY"

    To export flows from the visual editor, see Import and export flows.

  2. Install the new version:

  • SkillFlaw source installation: Prepare a new virtual environment and follow Install SkillFlaw from source.
  • SkillFlaw Desktop: To upgrade in place, open SkillFlaw Desktop, and then click Upgrade Available in the SkillFlaw header. If you want to isolate the new version, you must install SkillFlaw Desktop on a separate physical or virtual machine, and then import your flows to the new installation.

  1. Import your flows to test them in the new version, upgrading components as needed.

    When upgrading components, you can use the Create backup flow before updating option if you didn't previously export your flows.

  2. If you installed the new version in isolation, upgrade your primary installation after testing the new version.

    If you made changes to your flows in the isolated installation, you might want to export and import those flows back to your upgraded primary installation so you don't have to repeat the component upgrade process.

1.7.x

Version yanked

Version 1.7.0 was yanked due to a critical bug. Version 1.7.0 has been replaced with version 1.7.1, which includes a fix for this issue.

Highlights of this release include the following changes. For all changes, see the Changelog.

Known issue: Data not accessible when upgrading to version 1.7.0

A critical issue was identified during the upgrade process to version 1.7.0.

Flows, projects, and global variables are not deleted or corrupted. The data still exists, but version 1.7.0 cannot find it due to a path change in how flows are located. All SkillFlaw versions upgrading to 1.7.0 are affected.

Don't upgrade to SkillFlaw version 1.7.0. Instead, upgrade directly to version 1.7.1, which includes a fix for this bug.

If you installed version 1.7.0 before the fix was released, follow these steps to recover your flows:

  1. Revert SkillFlaw to version 1.6.9:


    _10
    uv pip install skillflaw==1.6.9

  2. Verify that your flows, projects, and global variables are accessible.

  3. Upgrade directly to version 1.7.1, which includes the fix for this issue:


    _10
    uv pip install skillflaw==1.7.1

New features and enhancements

  • Support for streamable HTTP transport for MCP clients and servers

    SkillFlaw now supports streamable HTTP transport for both MCP clients and servers. When using SkillFlaw as an MCP client, you can connect to MCP servers with streamable HTTP transport. When using SkillFlaw as an MCP server, clients can connect using streamable HTTP transport. SSE transport is still supported as a fallback for backwards compatibility.

  • Webhook authentication

    Added the SKILLFLAW_WEBHOOK_AUTH_ENABLE environment variable for authenticating requests to the /webhook endpoint. When SKILLFLAW_WEBHOOK_AUTH_ENABLE=TRUE, webhook endpoints require API key authentication and validate that the authenticated user owns the flow being executed. When FALSE, no SkillFlaw API key is required and all requests to the webhook endpoint are treated as being sent by the flow owner. For more information, see Trigger flows with webhooks.

  • Configurable API key validation

    Added the SKILLFLAW_API_KEY_SOURCE environment variable to control how SkillFlaw validates API keys. When set to db, SkillFlaw validates API keys against keys stored in the database. When set to env, SkillFlaw validates API keys against the SKILLFLAW_API_KEY environment variable. For more information, see API keys and authentication.

  • SSRF protection

    Added SSRF (Server-Side Request Forgery) protection to the API Request component. HTTP redirects are disabled by default to prevent SSRF bypass attacks. To enable SSRF protection, set SKILLFLAW_SSRF_PROTECTION_ENABLED=TRUE. Configure allowed hosts with SKILLFLAW_SSRF_ALLOWED_HOSTS. Flows that relied on automatic redirects will need to enable it manually.

  • Email registration in SkillFlaw Desktop

    SkillFlaw Desktop now includes an email registration screen at startup. The registered email address helps track user registrations and understand the user base. For more information, see Telemetry.

  • Changes to read/write file components

    The Save File component was renamed to Write File, and it can now save to S3 and Google Drive. The File component was renamed to Read File, and it can now read from AWS S3 and Google Drive. Both components support Tool Mode.

  • New integrations, bundles, and components:

    New filter operator for DataFrame Operations component

    The DataFrame Operations component now includes a not contains filter operator. Use it to clean data by extracting only records that don't contain specific values. For example, you can filter out invalid email addresses that don't contain @.

    New JSON operations for Data Operations component

    The Data Operations component now includes two operations for advanced JSON data manipulation. The Path Selection operation extracts values from nested JSON structures, and the JQ Expression operation uses the jq query language to perform advanced JSON filtering, projections, and transformations.

    New Smart Router component

    New Mock Data component

    New Dynamic Create Data component

    New ALTK bundle

    New CometAPI bundle

    New CUGA bundle

    The LLM Router component is now called the LLM Selector component.

    The Web Search component now consolidates Web Search, News Search, and RSS Reader into a single component with tabs for different search modes. You can search the web using DuckDuckGo, search Google News, or read RSS feeds—all from one component. The separate News Search and RSS Reader components have been removed.

1.6.0

Highlights of this release include the following changes. For all changes, see the Changelog.

Known issue, potential security vulnerability: .env file not loaded in versions 1.6.0 through 1.6.3

SkillFlaw versions 1.6.0 through 1.6.3 have a critical bug where environment variables from .env files aren't read. This affects all deployments using environment variables for configuration, including security settings.

Potential security vulnerability

If your .env file includes AUTO_LOGIN=false, upgrading to the impacted versions causes SkillFlaw to fall back to default settings, potentially giving all users superuser access immediately upon upgrade. Additionally, database credentials, API keys, and other sensitive configurations can't be loaded from .env files.

Don't upgrade to any SkillFlaw version from 1.6.0 through 1.6.3 if you use .env files for configuration. Instead, upgrade to 1.6.4, which includes a fix for this bug.

Known issue: Don't auto-upgrade Windows Desktop

注意

Windows users of SkillFlaw Desktop should not use the in-app update feature to upgrade to SkillFlaw version 1.6.0. Only Windows Desktop users upgrading to SkillFlaw version 1.6.0 are affected.

The Update button in SkillFlaw Desktop will not work for Windows users, and may result in data loss.

Instead, download a fresh installation from your approved SkillFlaw distribution channel when a new version is available.

Follow the instructions below to minimize the risk of losing flows.

These instructions assume your SkillFlaw Desktop data directory is stored under your Windows roaming profile. Some legacy desktop builds used a different application identifier, so verify the actual path on your machine before upgrading.

  1. Ensure you have Administrator privileges.
  2. Ensure you have enough disk space for a second installation of SkillFlaw.
  3. Close SkillFlaw, and ensure no SkillFlaw process is running in Task Manager.
  4. The SkillFlaw 1.6.0 installer automatically performs a database backup in a later step, but an additional manual backup provides additional redundancy and is recommended. To manually back up your SkillFlaw database file, do the following:
  5. In Windows Explorer, navigate to your SkillFlaw Desktop data directory under %AppData%, and confirm it contains your current database.db file.
  6. Copy the database.db at this location, and paste it to a safe location.
  7. Download the Windows installer from your approved SkillFlaw distribution channel.
  8. Run the Windows installer as an Administrator. To run the installer as an Administrator, right-click the executable and select Run as administrator.
  9. Follow the Windows installer's guided steps. The SkillFlaw 1.6.0 installer automatically performs a database backup. These steps install SkillFlaw from scratch, and result in two SkillFlaw installations: the previously installed version, and version 1.6.0. This is expected behavior.
  10. Start version 1.6.0 of SkillFlaw, and confirm your flows behave as expected.
  11. If flows are missing, restore your flows from your manual backup by doing the following:
    1. Close SkillFlaw.
    2. Navigate to your backup location, and copy the database.db file.
    3. Replace the database file in the new installation's data directory.
    4. Start SkillFlaw, and confirm your flows behave as expected.
    5. After confirmation, uninstall the previous version of SkillFlaw, and keep version 1.6.0.

Breaking changes

  • Authentication enforced for SkillFlaw API requests by default

    In SkillFlaw version 1.6, the documented default behavior still referenced legacy auto-login compatibility variables. This enforces authentication for SkillFlaw API requests while still automatically authenticating all users as superusers in the visual editor.

    This is a breaking change from 1.5 where both of these environment variables were true by default, bypassing all authentication.

    For temporary backwards compatibility, you could previously revert to the earlier unauthenticated behavior by enabling both legacy variables. Those legacy settings no longer apply to current SkillFlaw releases.

    For more information, see the historical authentication notes in API keys and authentication.

New features and enhancements

  • OpenAI Responses API compatibility

    SkillFlaw now includes an endpoint that is compatible with the OpenAI Responses API at POST /api/v1/responses. This allows you to use existing OpenAI client libraries with minimal code changes by replacing the model name with your flow_id. The endpoint supports streaming responses, conversation continuity, tool call results, and global variable passing through headers. For more information, see OpenAI Responses API.

  • Advanced document parsing with built-in Docling support

    The Read File component supports advanced parsing with the Docling library.

    To make it easier to use the Docling components and the Read File component's new advanced parsing feature, the Docling dependency is now included with SkillFlaw for all operating systems except macOS Intel (x86_64).

    For more information, see Advanced parsing.

  • Reorganized component menus and visual editor controls

    • The workspace sidebar is divided into separate sections for Search, Core components, MCP servers, Bundles, and Add Note.
    • Lock/unlock controls moved to flow details in Projects.
    • Zoom and help controls moved to the lower-right corner of the workspace.
    • Vector store components moved to provider-specific Bundles
    • Serper Google Search API component moved to the Serper bundle

  • Increased the default maximum file upload size from 100 MB to 1024 MB.

  • New integrations and bundles:

Deprecations

  • The Local DB component is now in legacy status. Replace this component with the Chroma DB component.

1.5.0

Highlights of this release include the following changes. For all changes, see the Changelog.

New features and enhancements

  • SkillFlaw API requests can require authentication

    To enhance security and ensure proper authentication for automatic login features, SkillFlaw API endpoints now require authentication with a SkillFlaw API key, even when the legacy auto-login compatibility mode was enabled. This change will be enforced in a future release. For temporary backwards compatibility, this release added a legacy skip-auth environment variable. The default value is true, which disables API authentication enforcement. To enforce API authentication, set that legacy skip-auth variable to false. These legacy variables no longer apply to current SkillFlaw releases. For more information, see the historical authentication notes in API keys and authentication.

  • Centralized Language Model and Embedding Model components

    The Language Model component and Embedding Model component are now core components for your LLM and embeddings flows. They support multiple models and model providers, and allow you to experiment with different models without swapping out single-provider components. Find them in the visual editor in the Models category.

    The single-provider components moved to the Bundles section. You can use them to replace the Language Model and Embedding Model core components, or connect them to the Agent component with the Connect other models provider option.

  • MCP server one-click installation

    On your SkillFlaw project's MCP server page, click Auto install to install your SkillFlaw MCP server to MCP clients with just one click. The option to install with a JSON configuration file is available for macOS, Windows, and WSL. For more information, see Use SkillFlaw as an MCP server.

  • MCP server management

    You can now add, remove, and edit your MCP servers in the MCP Tools components and through your SkillFlaw Settings page. For more information, see Use SkillFlaw as an MCP client.

  • Input schema replaces temporary overrides

    The Input schema pane replaces the need to manage tweak values in the API access pane. When you enable a parameter in the Input schema pane, the parameter is automatically added to your flow's code snippets, providing ready-to-use templates for making requests in your preferred programming language.

  • Tools components are redistributed

    All components in the Tools category were moved to other component categories, such as Helpers and Bundles, or marked as legacy.

    The MCP Tools component is now under the Agents category.

    Tools that performed the same function were combined into single components that support multiple providers, such as the Web Search component and the News Search component.

  • Stability improvements

    General stability improvements and bug fixes for enhanced reliability. See an issue? Raise it on GitHub.

  • New integrations and bundles

    • Cleanlab bundle

1.4.2

Highlights of this release include the following changes. For all changes, see the Changelog.

New features and enhancements

  • Enhanced file and flow management system with improved bulk capabilities.
  • Added the BigQuery component
  • Added the Twelve Labs bundle
  • Added the NVIDIA System-Assist component

Deprecations

  • Deprecated the Combine Text component.

1.4.1

Highlights of this release include the following changes. For all changes, see the Changelog.

New features and enhancements

  • Added an enhanced Breaking Changes feature to help update components without breaking flows after updating SkillFlaw.

1.4.0

Highlights of this release include the following changes. For all changes, see the Changelog.

New features and enhancements

  • Introduced MCP server functionality to serve SkillFlaw tools to MCP-compatible clients.
  • Renamed Folders to Projects in the visual editor.
  • The /folders endpoints now redirect to /projects.

Deprecations

  • Deprecated the Gmail, Google Drive, and Google Search components. For alternatives, see the Google bundle.

Earlier releases

See the Changelog.