Is n8n-automation safe?

https://clawhub.ai/DILOmcfly/n8n-automation

62
CAUTION

This skill claims to be 'n8n-automation' but actually contains a 'skill-vetting' tool - a meta-skill that instructs the agent to download, extract, and analyze other skills via a curl-unzip-python pipeline. While the scanner code (scan.py) appears benign and the stated purpose is defensive, the workflow establishes a dangerous download-and-execute pattern and instructs the agent to cat arbitrary downloaded files into its context (prompt injection vector). The slug mismatch between 'n8n-automation' and 'skill-vetting' is suspicious and warrants further investigation.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 35/100 · 20%
Clone Behavior 75/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (11)

HIGH Download-and-execute pipeline in SKILL.md -40

SKILL.md instructs the agent to curl a zip file from auth.clawdhub.com, extract it, and then run a Python scanner against the contents. This establishes a download-and-execute pattern that the agent will follow. While the stated purpose is security vetting, the mechanism itself is inherently dangerous - the agent is instructed to fetch and process arbitrary remote content.

HIGH Executable Python script included in skill -25

scan.py is a 130+ line Python script that the skill instructs the agent to execute. While the current code appears to be a legitimate pattern scanner, it has filesystem traversal capabilities (rglob('*')) and imports base64 (unused). The script reads all text files recursively in whatever directory it is pointed at.

MEDIUM Skill instructs agent to fetch and process external URLs -15

SKILL.md contains explicit instructions for the agent to make HTTP requests to auth.clawdhub.com. While this is the stated purpose, any content fetched could contain prompt injection payloads that would be processed by the agent when it reads the downloaded files (cat SKILL.md, cat scripts/*.py).

MEDIUM Skill instructs agent to cat arbitrary downloaded files -10

After downloading and extracting a zip from a remote server, the skill instructs the agent to 'cat SKILL.md' and 'cat scripts/*.py'. Any prompt injection in those downloaded files would be fed directly into the agent's context window.

MEDIUM SSH host key reads during monitoring window -25

Filesystem monitoring captured reads of SSH host keys (/etc/ssh/ssh_host_rsa_key, ssh_host_ecdsa_key, ssh_host_ed25519_key) and /etc/passwd. While these are likely from sshd initialization in the audit container rather than the skill itself, they appeared during the monitoring window and cannot be definitively attributed.

MEDIUM Scanner recursively reads all text files in target directory -15

scan.py uses rglob('*') to find and read all text files in the target directory. If an agent is tricked into pointing this at a sensitive directory (e.g., ~ or /etc), it would read credentials, configs, and other sensitive data. The content is processed in-memory and findings are printed to stdout, which goes into the agent's context.

MEDIUM External endpoint receives skill slug information -15

The curl command sends the skill slug as a URL parameter to auth.clawdhub.com. While this is expected for a download API, it leaks information about what skills the user is evaluating to the remote server.

LOW Unused base64 import in scan.py -5

scan.py imports the base64 module but never uses it. This is either sloppy code or preparation for future functionality that could decode obfuscated payloads.

LOW Slug/content mismatch: n8n-automation vs skill-vetting -20

The audit target slug is 'n8n-automation' but the actual skill content is 'skill-vetting'. This mismatch could indicate the skill was republished under a misleading name to attract users looking for n8n automation capabilities, or it could be a registry error.

LOW Patterns.md serves as attack technique catalog -15

The references/patterns.md file is a comprehensive catalog of attack techniques including eval/exec injection, base64 obfuscation, credential theft, environment variable manipulation, and prompt injection. While presented as educational material for vetting, it provides ready-made attack patterns that could be extracted by a malicious actor or combined with prompt injection.

INFO Installation failed due to rate limiting 0

The skill installation was rate-limited by the registry. This prevented full installation analysis but the skill files were still available for static analysis.