ClawHub

N8n Mcp

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed n8n MCP integration that can make real workflow and data-table changes, but the artifacts do not show hidden, deceptive, or unrelated behavior.

Install this only if you want an agent to administer your n8n instance. Use a least-privilege token, keep the MCP endpoint protected, review generated workflows before creation, test before publishing, and require explicit confirmation before production execution, publishing, archiving, deleting columns, or bulk data-table changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list includes broad terms like 'workflow', 'automation', and 'create workflow', which can match many benign requests and cause the skill to activate unexpectedly. Because this skill can execute workflows, publish changes, and modify data tables, overbroad activation increases the chance of unintended high-impact actions being proposed or taken in the wrong context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes capabilities for creating, updating, executing, publishing workflows, and modifying data tables, but it does not warn that these actions can change production systems, trigger external side effects, or alter stored data. In this context, omission of safety warnings is dangerous because users or agents may treat these operations as low-risk and perform them without confirmation or environment checks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal