n8n Workflow Engineering
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Generated code-node snippets could affect data handled by a workflow once the user deploys them.
The skill may provide code intended for n8n Code nodes. This is central to n8n workflow engineering and no install-time code is present, but copied workflow code would execute inside n8n if deployed.
Code node library — map, filter, dedupe, paginate, rate limit (copy-paste ready)
Review any generated Code node logic before running it in production, especially when it handles credentials, PII, payments, or bulk data changes.
If a user connects real service accounts, generated workflows may be able to read or change data in those services according to the credential permissions.
The workflow brief explicitly anticipates service credentials. This is expected for n8n integrations, and the visible guidance also encourages using n8n's credential store rather than hardcoding credentials.
dependencies:\n - service: "External API/service name"\n auth_type: "API key/OAuth2/Basic"
Use least-privilege credentials, store them in n8n's credential store, and review each workflow's service permissions before activation.
Workflow state or caches could retain sensitive business or customer data longer than intended.
The skill includes persistent workflow state patterns. This is normal for production automation, but persisted state can retain identifiers, payload fragments, or operational context if not carefully scoped.
State management — static data patterns, dedup caches, external state
Define what state is stored, avoid unnecessary PII, set retention/pruning where available, and document how cached or external state is cleared.