N8n Create Nodes
Security checks across malware telemetry and agentic risk
Overview
This is a coherent instruction-only development skill for creating n8n community node packages, with expected notes around cloning/installing starter dependencies and generating credential-handling code.
This skill appears safe for its stated purpose of helping build n8n community node packages. Before using generated code, review any cloned starter files and npm dependencies, verify that credential fields are scoped and masked, and avoid storing secrets in workflow static data.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the setup commands will download code and packages from external sources into the user’s development environment.
The skill directs users to fetch a starter project from GitHub and install npm dependencies. This is normal for an npm package development skill, but it introduces ordinary third-party dependency/provenance risk.
git clone https://github.com/n8n-io/n8n-nodes-starter.git n8n-nodes-<yourservice> ... npm install
Review the starter repository and dependency changes before building or publishing the generated package.
Nodes created from these templates may ask end users for service credentials and use them to call external APIs.
The skill includes templates for generated n8n nodes that handle API keys, passwords, and OAuth2 credentials. This is expected for integration-node development and the examples include masking guidance.
properties: INodeProperties[] = [ { displayName: 'API Key', name: 'apiKey', type: 'string', typeOptions: { password: true }, default: '' } ]; ... extends = ['oAuth2Api']Keep credential scopes minimal, mask secret fields, and ensure generated nodes only send credentials to the intended service endpoints.
Generated trigger nodes may retain workflow state such as webhook IDs or last-poll timestamps after restarts.
The trigger examples persist webhook IDs and polling timestamps in n8n workflow static data. This persistence is appropriate for trigger-node lifecycle management, but it is stored across restarts.
Use `this.getWorkflowStaticData('node')` to persist data (webhook IDs) between lifecycle calls. This data survives n8n restarts.Store only minimal non-secret state in workflow static data and clean it up when workflows are deactivated.