Environment variable access combined with network send.
Critical
- Code
- suspicious.env_credential_access
- Location
- src/tools/rest-api.ts:26
- Evidence
const url = process.env.N8N_API_URL?.trim();
Security audit
Security checks across malware telemetry and agentic risk
The package appears purpose-built for n8n automation, but it gives an AI agent live workflow deployment and execution-data access without strong default confirmation guidance.
Install only if you intend to let the agent interact with n8n. Prefer starting without N8N_API_URL/N8N_API_KEY or set N8N_MCP_READ_ONLY=1, disable workflow.create and workflow.activate unless needed, use a non-production n8n instance or narrow API key, and require manual approval before creating, activating, or retrieving full execution data.
66/66 vendors flagged this plugin as clean.
Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal
const url = process.env.N8N_API_URL?.trim();
...([REDACTED] ? { N8N_API_KEY: [REDACTED] } : {}),