Skillv2.0.1

ClawScan security

N8n Operator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 21, 2026, 3:55 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches an n8n REST operator but contains several coherence and scope issues (hardcoded agent config paths, host-desktop mapping guidance, and mismatched runtime assumptions) that warrant caution before installing or following its recommendations.
Guidance: This skill appears to implement an n8n REST operator, but exercise caution: 1) Review the included Python scripts before use — they expect Python and the 'requests' package (these deps are not declared). 2) Do NOT blindly follow instructions that modify your OpenClaw agent files (e.g., C:\Users\<user>\.openclaw\cron\jobs.json) or that mount your Desktop into containers or run containers as root unless you understand and accept the security implications. 3) Restrict the N8N_API_KEY to a test/dedicated n8n instance and limit its privileges. 4) If you only need API operations, prefer running the client code in an isolated environment (separate VM/container) and avoid host filesystem mappings. 5) If you plan to install, audit the scripts for any file reads/writes or outgoing network calls beyond the n8n API, and add explicit python runtime and dependency declarations before executing. If you are unsure, treat this skill as untrusted until you validate the code and remove or modify instructions that alter host agent config or expose host files.
Findings: [hardcoded-agent-config-path] unexpected: SKILL.md instructs editing C:\Users\lujun\.openclaw\cron\jobs.json — referencing and modifying an agent/application-specific path is outside the core purpose of an API operator and may alter the host agent's behavior. [host-desktop-mapping-and-root] unexpected: references/desktop-write.md recommends mounting the user's Desktop into the n8n container and running the container as root (user: "0:0"). While this explains how to enable file writes from n8n, it encourages host filesystem exposure and elevated container privileges which are risky for general-purpose operator functionality. [missing-python-dependency] unexpected: Repository includes Python scripts (n8n_api.py, n8n_optimizer.py, n8n_tester.py) that use the 'requests' library and perform file I/O, but the skill's declared required binaries only list 'curl' — the runtime/dep mismatch is unexpected for the stated purpose and could cause silent runtime failures or imply implicit requirements.

Review Dimensions

Purpose & Capability: noteName/description, required env vars (N8N_BASE_URL, N8N_API_KEY), and curl usage are coherent for an n8n REST operator. However, the bundle includes multiple Python scripts (clients, optimizer, tester) which assume a Python runtime and the 'requests' library, but SKILL metadata only declares curl and does not declare Python or Python deps—this is an inconsistency. Some included reference docs (desktop-write.md) provide container and host mapping guidance that expand scope beyond pure API management.
Instruction Scope: concernSKILL.md instructs the agent and user to edit local agent/system files (e.g., C:\Users\lujun\.openclaw\cron\jobs.json) and to modify docker-compose to map a user's Desktop into an n8n container and run the container as root. Those steps reference host-specific paths and grant host filesystem access to workflows — actions outside the narrow purpose of managing workflows via REST and risky for user systems. The instructions also hardcode a specific user path and recommend modifying OpenClaw agent cron files, which is out-of-scope and potentially dangerous.
Install Mechanism: okThis is instruction-only with no install spec (no downloads, no archive extraction), which is lowest-risk for installation. However, runtime behavior may require Python and third-party libraries present on the host; those dependencies are not declared.
Credentials: noteRequested environment variables (N8N_BASE_URL, N8N_API_KEY) are appropriate and expected for n8n REST access. No unrelated secrets are requested. Minor proportionality issue: the skill's files expect a Python runtime (and network access) but the declared required binaries do not include python/python3 or declare the 'requests' library.
Persistence & Privilege: concernalways is false (good). But SKILL.md explicitly tells users/agents to edit the OpenClaw cron jobs.json and to map host desktop directories into containers, effectively encouraging persistent host-level modifications and broad filesystem access. The skill also suggests running containers as root; combined with writing to host Desktop this increases privilege and persistence risk.