ClawHub

n8n Workflow Templates

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly coherent for managing n8n workflows, but it has a real command-injection weakness in its deploy helper and grants broad workflow-management authority with API-key handling risks.

Install only if you trust the publisher and will use it in a controlled environment. Avoid passing untrusted template paths or workflow names to deploy.sh, prefer a least-privilege n8n API key, rotate the key if it may appear in logs or shell history, review each workflow before activation, and test backup/delete operations outside production first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill exposes shell-based operational capability via documented bash scripts, but there is no explicit permission declaration warning that the skill can execute commands against external infrastructure. In an agent setting, this reduces transparency and can cause the skill to be invoked with broader authority than users expect, especially since it can modify remote n8n state using provided credentials.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose emphasizes deploying templates and managing workflows, but the analysis indicates the associated tooling can also delete workflows and activate them, which are materially more sensitive actions than a user may infer from the description. This mismatch is dangerous because an agent or operator could authorize the skill for routine setup while unintentionally granting destructive or production-impacting capabilities against a live n8n instance.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README documents a destructive delete-workflow operation without any warning, confirmation guidance, or advice to verify the target workflow ID before execution. In an automation/deployment skill, this increases the chance of accidental deletion of production workflows or service disruption by users or downstream agents following the documentation verbatim.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The backup template is presented as production-ready, but the documentation omits warnings that backup workflows can overwrite destinations, prune retained data, or otherwise perform irreversible data operations if misconfigured. In a skill meant for agent-driven deployment, missing cautions increase the chance of silent data loss or unsafe automation in production environments.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script accepts the n8n API key as a positional command-line argument, which can expose the secret through process listings, shell history, audit logs, CI job output, and orchestration tooling. In a workflow deployment utility, this is a real credential-handling weakness because the API key grants workflow management access and could be reused by other local users or captured by logging systems.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow sends backup status messages and recent backup file listings to Telegram, which discloses operational metadata to a third-party messaging service. Even if the contents are limited to filenames and timestamps, this can reveal database names, backup cadence, storage paths, and infrastructure behavior, which can aid reconnaissance or expose sensitive internal information if the bot or chat is misconfigured or compromised.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The workflow sends internal service names, URLs, status codes, and response timing to Telegram, which is an external third-party messaging platform. If the bot, chat, or recipient configuration is wrong or compromised, this can expose internal infrastructure details and outage information that could aid reconnaissance.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal