Back to skill

Security audit

OpenClaw n8n Orchestrator

Security checks across malware telemetry and agentic risk

Overview

This is a real OpenClaw-to-n8n integration helper, but it needs Review because it documents powerful autonomous gateway, memory, and workflow-generation patterns with under-scoped safety guidance.

Install only if you intentionally want a powerful OpenClaw+n8n automation bridge. Keep the Gateway bound to localhost or a private tunnel, pin and verify installers/images, require human approval for shell and high-impact workflow actions, restrict direct tool allowlists, narrow autonomous triggers, and avoid cloud memory/embedding flows unless users have explicitly consented.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill clearly instructs use of shell execution, environment variables, filesystem reads, and network access, yet the frontmatter shown for generated skills omits any explicit permissions declaration. That capability/permission gap can mislead reviewers and automated tooling about the true attack surface, especially for a skill centered on webhook execution and gateway interaction.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The document repeatedly states that the Gateway must remain localhost-bound or otherwise non-public, but the provided `openclaw.json` example sets `gateway.host` to `0.0.0.0`, which binds on all interfaces inside the container. In this deployment context, that contradiction is dangerous because it can unintentionally expose the Gateway to other networks, reverse proxies, or misconfigured container publishing paths, undermining the stated credential-isolation model.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The reference materially expands the skill from an n8n/OpenClaw orchestration helper into a blueprint for a full autonomous Telegram agent with persistence, memory, and proactive behavior. That scope drift increases the chance that a user or downstream agent will deploy a much broader system than intended, introducing unreviewed attack surface and capabilities outside the declared trust boundary.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The documented Telegram chat, reminders, calendar, file handling, and voice-processing features significantly exceed the stated purpose of credential-isolated n8n proxy orchestration. In skill context, this is dangerous because it can cause operators to enable user-facing automation features and external integrations that were not part of the expected threat model, increasing data exposure and misuse risk.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The MCP Builder describes autonomous research, code generation, and programmatic deployment of new workflows, which is a powerful self-expanding capability far beyond an integration-helper role. Even with a later human credential-binding step, generating and registering new capabilities from external docs creates a supply-chain and prompt-injection pathway that could lead to unsafe workflows, hidden exfiltration logic, or privilege expansion.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The activation text is extremely broad, including generic phrases like workflow automation, credential isolation, and proxy pattern. Overbroad triggers can cause unintended invocation in unrelated contexts, increasing the chance that an autonomous agent performs shell/network actions or exposes operational guidance when the user did not actually request this skill.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The pointer skill example says to trigger on ANY n8n workflow or webhook integration and to browse a vault directory dynamically. That broad routing behavior can be abused to expand the agent's file-discovery scope and cause unintended loading of other skills, creating a larger prompt-injection and unauthorized capability surface.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This documentation explicitly promotes using the gateway for red-team testing, direct file operations, and specific capability triggering without an accompanying warning about the security impact of invoking privileged tools. In the context of an orchestration and gateway skill, this is dangerous because readers may enable or expose powerful tool paths through n8n workflows, increasing the chance of destructive actions, unauthorized file access, or abuse of allowlisted tools.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The design stores conversations and semantic memory long-term and enables proactive outreach, but does not pair those behaviors with clear user-facing notice, consent, retention limits, or deletion controls. In a Telegram-based agent context, this is especially risky because personal messages, preferences, and inferred behavioral data may be retained and reused without users understanding the privacy implications.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The manifest description uses unconstrained placeholders for trigger conditions, which can lead to overly broad or ambiguous activation of the skill. In this skill’s context, autonomous invocation is explicitly supported and the action forwards structured payloads to an external n8n webhook, so vague triggers increase the chance of unintended data egress or execution of sensitive workflows.

Session Persistence

Medium
Category
Rogue Agent
Content
1. Move individual webhook skills to a vault directory outside the agent's scan path:
   `~/.openclaw/vault/n8n-webhooks/`

2. Create a single lightweight pointer skill in the active directory:

```yaml
---
Confidence
88% confidence
Finding
Create a single lightweight pointer skill in the active directory: ```yaml --- name: n8n-webhook-router description: "When the user needs to trigger ANY n8n workflow or webhook integration, use the l

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.