Back to skill

Security audit

n8n Workflow Automation

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly transparent about connecting to n8n, but its status and validation checks can POST to live automation webhooks and may trigger real business workflows unexpectedly.

Review before installing. Use only with a trusted HTTPS n8n instance, store the API key in a secret manager or protected env file rather than shell profiles, and do not run the included status or validator scripts against production workflows unless each workflow safely ignores ping/test payloads. Require explicit confirmation for emails, social posts, CRM writes, invoice reminders, and any briefing that returns sensitive account data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (15)

Tainted flow: 'req' from os.environ.get (line 34, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
import time
    start = time.time()
    try:
        with urllib.request.urlopen(req, timeout=timeout):
            ms = int((time.time() - start) * 1000)
            return True, ms
    except urllib.error.HTTPError as e:
Confidence
95% confidence
Finding
with urllib.request.urlopen(req, timeout=timeout):

Lp3

Medium
Category
MCP Least Privilege
Confidence
80% confidence
Finding
The skill clearly relies on environment variables, outbound webhook calls, and Python scripts, yet no explicit permissions are declared. That mismatch weakens security review and user consent because operators may not realize the skill can access secrets and transmit data externally. In this context, the missing declaration matters because the skill handles CRM, email, invoice, and social content data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
86% confidence
Finding
The description frames the skill as a natural-language workflow trigger, but the documented behavior also includes health checks, webhook validation, status enumeration, and environment validation. Undisclosed operational behavior expands the attack surface by enabling reconnaissance about connected infrastructure and configuration state beyond what a user may expect. In a skill tied to an automation backend, that extra visibility can help an attacker map available endpoints and service health.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The daily briefing examples expand the skill from narrowly triggering n8n workflows into aggregating unread inbox contents, lead activity, and suggested priorities. This broadens data access and summarization scope beyond the stated purpose, increasing the chance of oversharing sensitive business or personal information through an overly permissive automation interface.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
The status example reveals internal service metadata such as the connected instance URL, response time, and enumerated active workflows. While not directly exploitive on its own, this can aid reconnaissance by exposing infrastructure details and available automation surfaces to anyone able to invoke the status behavior.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The README describes triggering workflows by simply 'talking to your agent in plain language' and 'it fires the right n8n webhook automatically,' which signals very broad activation semantics. In an automation skill that can send emails, post to social media, update CRMs, and trigger invoice reminders, ambiguous natural-language invocation increases the risk of unintended or mis-scoped actions, especially if user confirmation, intent matching, and workflow restrictions are not clearly enforced.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill encourages sending natural-language requests to n8n webhooks but does not warn users that message content, emails, CRM data, meeting notes, or business summaries may be transmitted to an external automation platform. Because the listed workflows process business and personal data, the absence of a clear privacy/data-transfer notice can lead to accidental disclosure of sensitive information to third-party systems or logs.

Vague Triggers

Medium
Confidence
83% confidence
Finding
Several trigger phrases are broad enough to match normal conversation, increasing the risk of accidental activation of high-impact automations like sending emails, posting to social media, or updating CRM records. Because the skill can cause external side effects, ambiguous invocation is dangerous even with a confirmation step, especially if parsing mistakes prefill recipients or content incorrectly.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents sending personal and business data such as names, emails, CRM notes, invoice details, meeting summaries, and social content to external n8n webhooks, but it does not prominently warn users about third-party data transfer or privacy implications. This creates a meaningful data-handling risk because users may disclose regulated or sensitive information without understanding it leaves the local agent context.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrase "Check competitors" is extremely broad and resembles ordinary conversation, making accidental invocation plausible. In a skill that can fetch external data and run automations, ambiguous activation can cause unintended workflow execution, unnecessary data retrieval, or side effects without clear user intent.

Vague Triggers

Medium
Confidence
94% confidence
Finding
Phrases like "Morning briefing," "What happened overnight?" and "Give me my briefing" are common conversational expressions that could activate the skill unintentionally. Because the feature surfaces inbox, CRM, and social data, accidental triggering can disclose sensitive summaries or initiate non-obvious data access beyond what the user meant in a general chat context.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The Competitor Monitor workflow explicitly scrapes third-party sites and forwards extracted content to an external AI API, creating data-handling and acceptable-use risk. Even if the target pages are public, the workflow can violate site terms, unintentionally collect sensitive material, and transmit scraped content to another processor without any warning or guardrails.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The Daily Briefing workflow combines lead data, email metadata, and social-account analytics into a single aggregated report, increasing privacy sensitivity and the blast radius of any misconfiguration or unauthorized access. Without warning users about consent, retention, and cross-system data aggregation, the workflow encourages processing of potentially personal or confidential information without adequate safeguards.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide tells users to append the n8n API key to shell startup files, which persists a sensitive credential in plaintext on disk and automatically loads it into future shells. This increases exposure through local file compromise, shell history mistakes, backups, dotfile syncing, multi-user systems, and accidental disclosure during debugging or support sessions.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
This script sends potentially sensitive user-supplied business and personal data, such as names, emails, CRM notes, and invoice details, to a remote n8n endpoint without any explicit consent notice or disclosure in the tool itself. In an agent skill context, this increases the chance that users or higher-level orchestrators trigger external transmission without realizing what data leaves the local environment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.