Oathe Security Badge

Is czlonkowski/n8n-skills safe?

https://github.com/czlonkowski/n8n-skills

88
SAFE

czlonkowski/n8n-skills is a legitimate Claude Code plugin containing 15 professionally written educational skills for n8n workflow automation, with no prompt injection, persona manipulation, or data exfiltration detected during installation. The plugin's primary risk factor is its Claude Code hook system — 9 shell scripts that intercept all n8n MCP tool calls — whose full content was not captured in the audit evidence; while their stated purpose is enforcing skill consultation (a documented plugin pattern), they represent executable code with access to sensitive tool arguments including n8n credential operations. All canary files remained intact, and the only network activity during the audit was a standard HTTPS connection to GitHub.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 87/100 · 25%
Code Execution 74/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 83/100 · 5%

Findings (6)

MEDIUM Claude Code hook scripts intercept all n8n MCP tool calls -26

The plugin ships with 9 shell hook scripts registered via hooks.json that execute before and after Claude Code tool calls. These hooks intercept operations including n8n_manage_credentials (credential CRUD), n8n_update_partial_workflow, n8n_create_workflow, validate_workflow, get_node, n8n_test_workflow, and the n8n_instances multi-instance switcher. Full script content was not captured in evidence, so behavior is inferred from file names and stated README purpose (skill enforcement). If any hook script exfiltrated MCP tool arguments or results to an external endpoint, it would have silent access to n8n API keys, workflow structures, and credential metadata.

LOW _emit.sh shared emitter with unconfirmed behavior -8

A shared emitter script is used by pre-tool-use hooks. The name suggests it broadcasts or emits data. In Claude Code hook contexts, this pattern is typically used to display messages to the terminal (stdout). However, without content inspection it cannot be confirmed the emitter does not send data to an external logging endpoint. Given no network connections to non-GitHub hosts were observed during monitoring, the risk is low but non-zero.

LOW Credential file accesses observed pre-clone — attributed to monitoring infrastructure -5

Inotify and auditd events show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json were opened and read at 16:01:25. The git clone did not begin until 16:01:31 (6 seconds later). The file accesses are consistent with the Oathe audit monitoring framework reading its honeypot files to establish baseline hashes. Canary integrity check confirms none of these files were modified or their contents exfiltrated. No network activity correlated with these accesses.

INFO No prompt injection or instruction override detected across all skill content 0

Reviewed all 15 SKILL.md files covering n8n agents, validation, MCP tools, expression syntax, code nodes (JS/Python), error handling, binary data, subworkflows, multi-instance, self-hosting, workflow patterns, and node configuration. Content is accurate n8n documentation with no attempt to override system instructions, change agent persona, suppress output, reference runtime-fetched URLs, or chain with unexpected capabilities.

INFO Clean installation — single expected connection to GitHub 0

Git clone established one TCP connection to 140.82.121.3:443 (github.com). Connection diff shows no new listeners or persistent sessions. All filesystem modifications confined to the skill directory. No background processes spawned. No npm scripts, git hooks, or submodules that could execute remote code.

INFO All honeypot files confirmed intact 0

All six honeypot credential files placed by the Oathe monitoring framework were unmodified at the end of the audit period.