ClawHub

N8n Operator

Security checks across malware telemetry and agentic risk

Overview

The skill is a mostly legitimate n8n workflow operator, but it also includes under-scoped guidance for persistent local cron changes and host file writes.

Install only if you intend to give the agent API-level control over a specific n8n instance. Use a test n8n instance first, review workflow IDs and generated JSON before activation, execution, deletion, credential use, or cron setup, and do not allow OpenClaw cron edits or host-mounted Desktop writes unless you explicitly want persistent local automation and know how to undo it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The skill instructs the agent to directly edit a local OpenClaw cron configuration file at a fixed user path, which exceeds the advertised role of operating n8n over REST. This expands the trust boundary from remote workflow management into local persistence and scheduler manipulation, creating a path for unauthorized local configuration changes.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
By adding cron orchestration and direct filesystem modification, the skill materially extends beyond n8n workflow management into host-level automation control. That scope creep makes misuse more dangerous because a user invoking an n8n helper may not expect it to alter local scheduled tasks or persistent agent configuration.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The reference to writing files to the Windows desktop via n8n nodes broadens the skill into local file-manipulation behavior unrelated to the stated manifest purpose. Even as a pointer to another document, it encourages using workflow automation to touch user files on the host, increasing the chance of unintended data modification or exfiltration paths.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The method named `dry_run` does not simulate execution; it calls `self.client.execute_workflow(...)`, which can trigger the real n8n workflow and all of its side effects. In this skill context, workflows may send emails, invoke webhooks, modify databases, or call third-party APIs, so misleading users into thinking execution is non-destructive increases the chance of accidental production actions during testing.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The auto-activation criteria are so broad that the skill may trigger on loosely related requests such as general automation design or any mention of n8n. Because the skill supports destructive and state-changing operations, overbroad invocation increases the risk of the agent selecting a powerful tool in situations where the user did not clearly request those actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill is described as able to create, modify, delete, activate, deactivate, and execute workflows, but it does not foreground the risk of these operations changing production automation state. In context, this is dangerous because n8n often orchestrates external systems, so a workflow deletion or activation can have cascading operational impact.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The instruction to directly edit the local jobs.json file lacks a clear warning that it modifies host-level scheduler configuration and may create persistent automated behavior. Without a warning and confirmation gate, a user could unknowingly authorize durable local changes outside the expected n8n API boundary.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document explicitly instructs users to mount the Windows Desktop into the container and use n8n to write files there, but it provides no safety guidance about overwriting user files, handling untrusted input, or limiting writes to a dedicated subdirectory. In an automation skill, this can enable unintended modification of sensitive user data on the host filesystem, especially if workflow inputs are attacker-controlled or if the workflow is reused without understanding the risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The example sends order identifiers and timestamps to Slack, which is an external SaaS destination, without any warning about data sharing, minimization, or channel access controls. In an automation template library, this can normalize copying operational or customer-related data into third-party messaging systems where retention, searchability, and broad workspace access may expose sensitive information.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The AI Agent pattern combines conversational memory with an external OpenAI model but does not warn that user prompts and prior conversation context may be retained in workflow memory and transmitted to a third-party provider. In a reusable workflow reference, this omission is risky because users may adapt it for support, internal knowledge, or regulated data without realizing the privacy and compliance implications.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The client exposes irreversible workflow deletion with no confirmation prompt, dry-run mode, or safeguard in the CLI path. In an automation/admin skill, this increases the risk of accidental or unintended destructive actions that could disrupt production automations.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
Execution deletion is destructive and can remove debugging or audit history, yet there is no user-facing warning or confirmation mechanism. In the context of an n8n operator skill, this can hinder incident response and forensic review if triggered unintentionally.

Missing User Warnings

Medium
Confidence
74% confidence
Finding
Manual execution forwards caller-supplied data directly to the remote n8n API without an explicit disclosure or consent boundary in the CLI flow. Because workflows may contain external integrations, secrets usage, or side effects, triggering execution with arbitrary data can cause unintended outbound actions or data processing.

Ssd 3

Medium
Confidence
97% confidence
Finding
The instruction to reuse previously configured webhook paths without re-asking the user encourages carrying forward historical configuration across requests or sessions. This can expose prior user-specific endpoints or cause actions to target stale or unintended webhooks, especially in multi-user or multi-session environments.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal