N8N EVOL I
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate n8n automation harness, but it can change live workflows and credentials and includes an under-disclosed runtime npm install/auto-hook path that deserves review before use.
Install this only if you are comfortable giving an agent deployment-level access to your n8n environment. Start in a dev/staging n8n instance, use least-privilege API keys, review auto-tidy/plugin behavior, and verify or preinstall the npm dependency used for workflow layout before relying on it in production.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using tidy features may download and run third-party npm code on the user’s machine, even though the registry presents the skill as having no install spec or required binaries.
The tidy helper can fetch and install a Node package at runtime into the helpers directory. This is related to the workflow-layout purpose, but it is not reflected in the registry install requirements and may run through the documented auto-tidy path.
subprocess.run(["npm", "install", "--prefix", str(helpers_dir), f"@n8n/workflow-sdk@{_SDK_VERSION}", "--silent", "--no-fund", "--no-audit"]Before using plugin/auto-tidy mode, review the npm dependency, consider preinstalling/pinning it yourself, and run the skill in a workspace where modifying helper/node_modules is acceptable.
Template files may be changed automatically after edits, and the agent may briefly see untidied content because the hook is asynchronous.
Plugin mode adds automatic post-tool behavior that can modify workflow template files asynchronously. It is disclosed and scoped to template JSON files, but it is still persistent automatic behavior.
Auto-tidy hook — a `PostToolUse` hook fires after every Write/Edit/MultiEdit tool call; the hook script filters to `*.template.json` files and runs `tidy_workflow.py --in-place`
Use plugin mode only if you want automatic template rewriting; otherwise disable or remove the hook as described in the install notes.
A mistaken deploy can change or activate real automations, which could affect business processes or send data through connected services.
The deploy helper can update and activate workflows in the configured n8n instance. This is expected for a deployment harness, but it is a live external mutation.
resp = client.put(f"workflows/{wf_id}", payload) ... act_resp = client.post(f"workflows/{wf_id}/activate")Use separate dev/staging/prod environments, review workflow keys and env names before deploy, and use `--no-activate` when you want deployment without making triggers live.
The agent may be able to create, update, activate, or inspect n8n resources using the supplied API key.
The skill expects a powerful n8n API key, including credential scopes. That access is purpose-aligned, but sensitive and broader than a read-only integration.
An n8n instance the agent can reach via REST + an API key with workflow + credential scopes
Provide the least-privileged n8n API key possible, prefer non-production environments for testing, and store `.env.<env>` files securely.
Incorrect or malicious content in the workspace memory file could influence future agent behavior for the project.
The skill intentionally persists project memory in a workspace file and reuses it across sessions. This supports continuity but can carry stale or poisoned instructions if the file is edited unexpectedly.
read `N8N-WORKSPACE-MEMORY.md` in the workspace at the start of every session; append a dated entry whenever you learn something durable about this project
Review `N8N-WORKSPACE-MEMORY.md` periodically, keep secrets out of it, and treat changes to that file like changes to project configuration.