Back to skill

Security audit

N8n Automation Secure

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it requests powerful n8n API access while its promised safety controls are mostly guidance rather than enforced protections.

Install only if you are comfortable giving an agent an n8n API key that can affect your workflows. Use a least-privilege n8n key, avoid full mode for production, do not store the API key in shell startup files or plaintext Git credential storage, and treat the advertised confirmations, rate limits, permission modes, and audit logging as guidance unless you independently enforce them. Do not follow the public publishing steps without reviewing files and commit history for secrets first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises shell-based setup and operational commands, but the metadata declares no binary/tool permissions. That mismatch can cause the host to underestimate the skill's execution capabilities and weakens permission review, especially because the document repeatedly instructs users to run shell commands and scripts. In a skill ecosystem, hidden or undeclared shell capability is a real security concern even if the text frames it as administrative setup.

Tp4

High
Category
MCP Tool Poisoning
Confidence
82% confidence
Finding
The skill claims secure workflow automation, but the documented behavior includes local setup validation, config scanning, audit-log directory creation, and connectivity checks that are broader than the declared purpose. Description/behavior mismatch is dangerous because reviewers and users may approve the skill for one trust boundary while it also inspects local files and modifies the local environment. That increases the chance of over-privileged deployment and surprise access to sensitive local state.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This file instructs the user to create and publish a public GitHub repository and push code, which is outside the stated purpose of secure n8n workflow automation. That scope expansion creates an unnecessary capability for external publication and distribution, increasing the chance of accidental data exposure or unauthorized release of local project contents.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The instructions direct the user to create a public repository and push the local codebase even though the skill is described as secure n8n workflow automation, not source code publishing. In this context, enabling public publication is dangerous because it can expose internal automation logic, credentials accidentally committed in the workspace, or organization-specific configuration.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The ClawHub publication steps add a second distribution channel unrelated to executing or managing n8n workflows. This broadens the skill's operational scope into package publishing, which can lead to unintended external release of artifacts and increases supply-chain and information disclosure risk.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
This is a real documentation security flaw: the policy says not to store credentials in files, but the example uses ~/.bashrc, which is itself a file and commonly ends up backed up, synced, or exposed through shell history and workstation compromise. Even though the line is marked as a DON'T example, it still normalizes a credential-in-file pattern and could confuse users or be copied into practice.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The guidance is internally inconsistent: earlier sections suggest putting secrets in persistent shell configuration, while later sections say not to save them in ~/.bashrc because of compromise risk. Conflicting security instructions lead users to unsafe credential handling and can directly cause long-lived secret exposure on disk or in user profiles. Since this skill centers on API credentials, poor guidance here materially raises risk.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The documentation says readonly mode can execute workflows with confirmation, but the actual permission table excludes 'execute' from readonly. This mismatch is security-relevant because operators may rely on the documented behavior and configure workflows or approval processes incorrectly, leading either to unexpected denial of controls or ad hoc bypasses outside the documented model.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The guide claims dangerous write operations require explicit confirmation, but the shown permission logic for full mode returns true for all actions with no built-in confirmation gate. In an automation skill that can create, update, or delete workflows, this gap can let destructive actions run programmatically without the human verification the guide promises.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The file tells the user to push a local codebase to a public GitHub repository without any warning or review step for secrets, tokens, private workflow data, or proprietary material. In a security-focused automation skill, that omission is especially dangerous because such repositories often contain API endpoints, credential references, scripts, and operational details that can be exposed irreversibly once published.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide recommends `git config --global credential.helper store`, which saves Git credentials in plaintext on disk and applies this insecure behavior to all repositories for that user. If the workstation is compromised, shared, backed up insecurely, or inspected by other local users/processes, stored credentials can be recovered and used to access GitHub repositories.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The security reporting process is effectively nonfunctional because it contains placeholders instead of real contact channels. In practice, this can delay or prevent responsible disclosure, causing vulnerabilities to remain unreported or be disclosed publicly without coordination, increasing exposure for users.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger phrases are broad and include generic terms like "integrate n8n" and "execute workflow," which can cause the skill to activate in contexts where the user did not intend to invoke networked automation behavior. Over-broad activation is risky here because the skill can touch remote automation infrastructure and may prompt or steer users toward privileged operations. In an agent setting, unnecessary activation increases the attack surface for prompt injection and accidental execution paths.

Session Persistence

Medium
Category
Rogue Agent
Content
### 1. Configure Environment Variables

```bash
# Add to ~/.bashrc or /etc/environment
export N8N_URL=""
export N8N_API_KEY=""
Confidence
95% confidence
Finding
Add to ~/.bashrc

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.