n8n Builder
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears purpose-aligned for managing n8n, but it uses an n8n API key that can create, run, activate, and delete workflows.
This looks like a straightforward n8n workflow-building helper. Use it with a least-privileged or test n8n API key, review generated workflow JSON before deployment, and explicitly approve activation, execution, updates, or deletion of workflows—especially on production n8n instances connected to databases, CRMs, email, SMS, or other business systems.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the configured key can act within the n8n permissions granted to that key, including managing workflows.
The skill needs a delegated n8n API key, which is expected for this integration but gives the agent/API helper authority in the configured n8n instance.
Requires two environment variables: - `N8N_URL` — n8n instance URL - `N8N_API_KEY` — n8n API key
Use the least-privileged n8n API key available, prefer a development instance for testing, and rotate the key if it is exposed.
A wrong workflow ID, unreviewed JSON, or premature activation could modify production automations or trigger external actions such as messages, database updates, or API calls.
The helper exposes mutating n8n API operations. These operations match the skill purpose, but mistakes can change, run, or delete automations.
create <json_file> ... update <workflow_id> <json> ... activate <workflow_id> ... deactivate <workflow_id> ... delete <workflow_id> ... execute <workflow_id>
Review generated workflow JSON and target workflow IDs before create/update/delete/execute/activate operations, and test workflows before production activation.
An activated workflow may keep processing webhooks or scheduled jobs until it is deactivated.
Activated trigger-based workflows can continue running on schedules or webhooks after the initial build task. That persistence is expected for n8n, but users should explicitly intend it.
Activate — Use `scripts/n8n-api.sh activate <workflow_id>` for trigger-based workflows.
Use manual triggers while testing, confirm before activation, and monitor or deactivate workflows that should not remain active.
The registry entry may make the skill look like it needs fewer credentials or runtime tools than it actually does.
The registry metadata under-declares requirements that the SKILL.md and script disclose, namely N8N_URL/N8N_API_KEY and helper-script tooling. This is a clarity/provenance issue rather than hidden behavior.
Required env vars: none Env var declarations: none Primary credential: none
Before use, confirm the helper script contents, set only the intended n8n URL and API key, and prefer an updated package that declares these requirements in metadata.