ClawHub

NPM for N8N Nodes

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for developing n8n community node packages, with a few credential-handling examples users should apply carefully.

Install this only if you are building n8n community nodes. Treat the examples as templates: prefer header-based authentication over query-string keys, never log full credential objects or tokens, scope npm/API/OAuth tokens tightly, and review package contents before publishing to npm.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation description uses very broad trigger phrases such as generic n8n and custom integration terms, which can cause the skill to be invoked outside its intended scope. In an agent setting, over-broad routing increases the chance that sensitive package publishing, credential, or HTTP guidance is surfaced in unrelated contexts, creating mis-execution and confusion risks even without explicit malicious content.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The query-string API key pattern is a real security weakness because credentials placed in URLs are commonly exposed via logs, browser history, reverse proxies, analytics systems, and referrer headers. In this skill context, the file is instructional material for building n8n credentials, so omitting a warning increases the chance that developers will adopt an unsafe authentication pattern in production integrations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The debugging example explicitly logs the full `credentials` object, which can expose API keys, OAuth tokens, passwords, or other secrets into console output and log files. In the context of an n8n node-development skill focused on credentials and authentication, users are especially likely to handle sensitive material, so normalizing this pattern increases the chance of credential leakage during local testing or shared debugging sessions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal