Back to plugin

Security audit

automatelab-n8n-mcp

Security checks across malware telemetry and agentic risk

Overview

The package appears purpose-built for n8n automation, but it gives an AI agent live workflow deployment and execution-data access without strong default confirmation guidance.

Install only if you intend to let the agent interact with n8n. Prefer starting without N8N_API_URL/N8N_API_KEY or set N8N_MCP_READ_ONLY=1, disable workflow.create and workflow.activate unless needed, use a non-production n8n instance or narrow API key, and require manual approval before creating, activating, or retrieving full execution data.

VirusTotal

66/66 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/tools/rest-api.ts:26
Evidence
const url = process.env.N8N_API_URL?.trim();

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
smithery.yaml:33
Evidence
...([REDACTED] ? { N8N_API_KEY: [REDACTED] } : {}),