Is n8n-io/skills safe?
https://github.com/n8n-io/skills
The n8n-io/skills repository is an official plugin from the n8n organization providing workflow building guidance for Claude Code via the legitimate hook injection mechanism. The skill content is entirely benign — n8n workflow best practices across 13 skill domains — with no prompt injection attacks, no data exfiltration, no malicious code, and no unauthorized credential access post-install. The primary risk surface is the hook execution model itself: nine shell scripts fire automatically on session events and MCP tool calls, injecting guidance context and processing tool input, which is consistent with the intended plugin design but represents meaningful code execution and context injection scope. All canary files remained intact and no sensitive data was exfiltrated.
Category Scores
Findings (8)
MEDIUM Nine Shell Scripts Execute as Claude Code Hooks -12 ▶
The skill installs nine shell scripts that execute automatically as Claude Code hooks triggered by session events and MCP tool calls. While all script content is benign, this represents a meaningful code execution surface that runs with agent-level permissions on every n8n workflow operation.
MEDIUM Post-Validation Hook Parses Caller-Controlled Workflow Code -8 ▶
hooks/post-tool-use/validate-workflow.sh extracts and processes the workflow SDK code string from validate_workflow tool input using jq and grep pattern matching. It detects node type signatures to emit targeted recommendations. This script processes arbitrary code supplied by tool callers.
MEDIUM Automatic Full-Skill Context Injection on Every Session Event -10 ▶
The SessionStart hook loads the complete using-n8n-skills/SKILL.md (approximately 15,000+ words) into agent additionalContext on every session startup, resume, /clear, and /compact event without explicit per-session user consent. This is the intended plugin mechanism but represents persistent unsolicited behavior modification.
LOW Per-Lookup Warning Injection for High-Risk Node Types -5 ▶
get-node.sh injects large multi-paragraph warning blocks (200-400 words each) before every get_node_types call that requests Code, Set, Merge, splitInBatches, DateTime, or dataTable nodes. These warnings are explicitly NOT session-deduplicated, firing on each lookup. While guidance content is legitimate, this is high-volume repeated context injection.
LOW Pre-Clone Read-Only Access to Credential File Paths -10 ▶
Inotify and auditd records show sequential read-only opens of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials at 13:51:24. These accesses precede the git clone by 5 seconds and are almost certainly the audit framework's canary initialization. Canary integrity confirmed intact with no exfiltration.
LOW Session State Files Written to /tmp Directory -3 ▶
All pre-tool-use hooks write marker files to /tmp/n8n-skills-state/{session_id}-{marker_name}.loaded for one-shot warning deduplication. These are benign session tracking files but represent filesystem side effects of the hook system outside the skill directory.
INFO Skill Directs Agent to Read External GitHub Source Code for Debugging -2 ▶
Several SKILL.md files instruct the agent to fetch n8n source code from github.com/n8n-io/n8n when workflow behavior contradicts documentation. This is a legitimate debugging technique for an open-source tool but constitutes agent instruction to access an external URL.
INFO Double Clone Attempt During Audit 0 ▶
The skill was cloned twice during the audit session. The second attempt failed cleanly with a 'destination already exists' error. This is an audit infrastructure artifact and not indicative of malicious behavior.