ClawHub

N8n Workflow Builder

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only n8n workflow generator with real deployment risks, but its behavior is disclosed and aligned with its purpose.

Review every generated n8n workflow before importing or enabling it. Check what data leaves your systems, credential scopes, webhook authentication, destinations, schedules, public posting/email actions, and any Function/Code nodes; test with sample data first and remove the embedded signature comment if you do not want it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation conditions are broad enough to capture generic requests about automation, business processes, or follow-ups that may not be asking for this specific n8n skill. Overbroad invocation can cause the agent to apply the wrong capability, producing workflow JSON unexpectedly and increasing the chance of unintended actions, confused-deputy behavior, or unsafe handling of sensitive automation requests.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The listed phrases like "create an automation for" and "automate my [process]" are common natural-language requests and can unintentionally trigger this skill in unrelated contexts. In an agent environment, that raises the risk of misrouting user requests, overcollection of operational details, and generation of deployable automation artifacts when the user did not explicitly request n8n-specific output.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The examples and guidance normalize workflows that send customer, lead, invoice, and social data to third-party services, but they do not include an explicit user-facing warning about data sharing, retention, consent, or compliance obligations. In this context, the skill is designed to generate ready-to-deploy automations, so omission of privacy warnings materially increases the chance that users will transmit sensitive business or personal data externally without informed approval.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal