ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

n8n Builder

v1.0.0

Expert n8n workflow builder that creates, deploys, and manages n8n workflows programmatically via the n8n REST API. Use when asked to create n8n workflows, automate n8n tasks, build automations, design workflow pipelines, connect services via n8n, or manage existing n8n workflows. Handles webhook flows, scheduled tasks, AI agents, database syncs, conditional logic, error handling, and any n8n node configuration.

0· 985·2 current·2 all-time
by@kassimisai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's code and SKILL.md align with the described purpose: it builds and deploys n8n workflows via the n8n REST API and includes workflow patterns and schema references. Requesting an n8n API key and URL is appropriate for this functionality.
!
Instruction Scope
SKILL.md explicitly requires N8N_URL and N8N_API_KEY and instructs the agent to POST workflow JSON to the target n8n instance via scripts/n8n-api.sh; these runtime instructions access network endpoints and expect you to supply secrets, but the skill registry metadata did not declare these environment variables. The instructions otherwise stay within the declared purpose and do not request unrelated system files.
Install Mechanism
There is no install spec (instruction-only with a helper script). Nothing is downloaded or written by an installer; risk is limited to the provided script and its runtime network calls.
!
Credentials
The helper script requires N8N_API_KEY (and optionally N8N_URL) to operate, which is proportional to the skill's purpose. However, the skill metadata incorrectly lists no required env vars. Additionally, the script invokes curl and jq but the registry's required-binaries list is empty — a mismatch that can cause runtime failures or hidden assumptions about available tools.
Persistence & Privilege
The skill does not request persistent installation, 'always' is false, and it does not modify other skills or system-wide configurations. It performs network calls to the provided n8n instance only when invoked.
What to consider before installing
This skill appears to do what it claims (create/activate/manage n8n workflows via the n8n API), but the package metadata is incomplete. Before installing or running it: (1) do not provide your N8N_API_KEY to an untrusted skill — verify the skill's source and review scripts; (2) confirm N8N_URL and N8N_API_KEY are required (SKILL.md and scripts/n8n-api.sh require them) even though the registry metadata omitted them; (3) ensure curl and jq are available in the runtime environment (the script uses both); (4) review any workflow JSON the skill would send to your n8n instance before deployment to avoid injecting unwanted credentials/actions; and (5) consider running the script in an isolated environment or with a limited-permission API key for testing. These metadata mismatches are the main red flags — they may be benign oversights, but proceed cautiously.

Like a lobster shell, security has layers — review code before you run it.

latestvk975vc16v4qkg05qb2ngdta6d180y4b3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments