Is n8n-workflow-automation safe?

https://clawhub.ai/KOwl64/n8n-workflow-automation

89
SAFE

This skill is a well-structured n8n workflow design assistant that generates workflow specifications and JSON. It contains no executable code, no prompt injection patterns, no data exfiltration vectors, and no malicious install behavior. The SKILL.md demonstrates strong security practices including read-only defaults, credential gating, least-privilege principles, and human-in-the-loop review queues. The only monitoring artifacts are attributable to the OpenClaw agent platform runtime, not the skill itself.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 92/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 78/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (7)

INFO Appropriate behavioral gating 0

SKILL.md includes 'STOP AND ASK THE USER' directives for credential strategy, privileged access, and unknown destinations. This is good security practice, not injection.

LOW Broad scope directive patterns -10

The skill uses imperative language to guide agent behavior across multiple steps (clarify trigger, define data contract, design idempotency, etc.). While these are benign workflow instructions, they do steer agent behavior extensively. This is expected for a design-oriented skill but is noted for completeness.

LOW Generated workflows could reference external services -8

The skill generates n8n workflow JSON that may reference external APIs (email, Google Drive/Sheets, databases). The generated JSON is inert within the agent, but if imported to n8n and run, it would make external connections. The skill mitigates this by requiring user-specified destinations and gating on unknown systems.

INFO Platform agent reads sensitive files during bootstrap -22

The OpenClaw agent platform reads .env, .aws/credentials, .openclaw/openclaw.json, .profile, and .bashrc during its startup sequence. These reads are attributable to the agent runtime, not the skill itself, but they appear in the monitoring log. No evidence these files were transmitted externally (no network activity observed).

INFO JIT cache files created by platform runtime -5

Multiple .cjs files were written to /tmp/jiti/ during install. These are JIT-compiled modules from the OpenClaw platform runtime (memory-core, plugin-sdk, channels-registry, etc.), not from the skill itself.

INFO Positive security posture 0

The skill demonstrates multiple positive security patterns: read-only default, explicit credential gating, least-privilege API scoping, audit logging requirements, human-in-the-loop review queues, and 'no silent failure' gates. These are indicators of a security-conscious design.

LOW Indirect risk via generated workflow payloads -18

While the skill itself is safe, the n8n workflow JSON it produces could theoretically be weaponized if a user blindly imports it into n8n without review. The skill mitigates this by defaulting to read-only design specs and only producing JSON when explicitly requested.