ClawHub

n8n Pilot

Security checks across malware telemetry and agentic risk

Overview

The skill’s n8n automation purpose is coherent, but it requests sensitive n8n and container authority with some under-scoped setup and installation guidance that users should review carefully.

Install only if you intend to give the agent n8n admin-level access and possibly Docker/container authority. Provide the exact n8n URL/container instead of allowing broad discovery, review every workflow before deployment or activation, avoid inline real secrets in commands, use a secret manager or n8n UI for credentials when possible, and vet/pin community node packages in a staging instance before production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
The first-run setup instructs the agent to detect an n8n instance by checking local ports and scanning Docker containers, which expands from workflow assistance into host reconnaissance. In an agent context, this increases risk because it authorizes enumeration of local services and infrastructure that may be unrelated to the user’s immediate request.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The skill goes beyond architecture guidance by documenting creation of credentials and handling sensitive secret material, including API keys, client secrets, and encryption keys. In agent use, this broadens authority into secret management, which is dangerous because it can normalize collecting, transmitting, or storing credentials without strong boundaries.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill provides direct `npm install` and container restart commands for community nodes without any warning that npm packages execute third-party code during installation and may introduce malicious or vulnerable code into the n8n environment. In the context of an automation platform that commonly holds API keys, database credentials, and webhook access, encouraging unvetted package installation materially increases supply-chain and operational risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The recipe includes an automated 'spam: Delete' action for email classification without any caution about false positives, review steps, or safer alternatives. In a workflow-automation skill, this can lead to irreversible loss of legitimate emails if the classifier mislabels messages, especially because AI classification is probabilistic and often used on noisy inputs.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Create an API key credential via API
curl -X POST "${N8N_BASE_URL}/api/v1/credentials" \
  -H "X-N8N-API-KEY: ${N8N_API_KEY}" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
72% confidence
Finding
curl -X POST "${N8N_BASE_URL}/api/v1/credentials" \ -H "X-N8N-API-KEY: ${N8N_API_KEY}" \ -H "Content-Type: application/json" \ -d

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal