Free · OAuth 2.1 · MCP server live · WAF rate-limited

Ground truth for agents that guess
build n8n workflows.

21 deterministic validators ported from @n8n/workflow-sdk to pure JS, exposed as 5 MCP tools. Plug it into Claude or Cursor and your agent will know what's broken before it ships — no LLM round-trip, no hallucinated schemas.

Two use cases. AI agents that build workflows: validate before shipping. Humans debugging hand-built flows: same tool, paste & check.

Works with Claude Desktop Cursor Any MCP client
▲ DETERMINISTIC

Same input, same output. Always. No model variance, no token spend.

⚡ EDGE-NATIVE

Pure JS, runs on Cloudflare Workers. No isolated-vm required.

~/.claude/claude_desktop_config.json
{ "mcpServers": { "n8n-flow-auditor": { "url": "https://n8n-auditor.automators.work/mcp" } }}
● connected 5 tools · OAuth 2.1 · 0 LLM tokens
21
Validators
66
Node types
245
Versions
35/36+
SDK match
75
Tests pass
0
LLM tokens
/ 02 — MCP TOOLS

Five tools your agent calls
instead of guessing.

Each tool returns structured, machine-readable output. No prose. No hedging. Connect once, then let your model rely on hard schema and pattern checks instead of best-effort reasoning.

5/5 implemented
validate_workflow

The full validation pass.

Run all 21 validators on a workflow JSON. Returns errors and warnings with codes, severities, and exact parameter paths — not guesses, not ranges, exact nodes[3].parameters.url coordinates the agent can patch.

Most-called 21 checks ~12ms p50 structured output
→ POST /validate
{
  "errors": 3,
  "warnings": 2,
  "issues": [
    {
      "code": "NODE_DISCONNECTED",
      "severity": "error",
      "path": "nodes[4]"
    },
    
  ]
}
validate_workflow_by_id

Fetch a workflow from a user-supplied n8n instance and validate it. Credentials passed per-call, never stored.

per-call authno persistence
list_known_node_types

Returns the 66 types in the catalog with their available versions. Lets the LLM know which nodes have schema enforcement.

66 types245 versions
get_node_schema

Returns canonical shape — inputs, outputs, properties with required/displayOptions/defaults — for a type+version.

canonicalversioned
analyze_sticky_notes SECURITY

Catch prompt-injection inside the workflow itself.

When an agent generates a workflow, sticky notes can carry hostile instructions that target the next agent that reads it (or you). 12 heuristic regex patterns spot instruction overrides, system-role claims, credential dumps, jailbreak templates. Returns suspicionScore + flagged content + a safe / manual_review / block recommendation. Zero LLM tokens.

Unique to us 12 patterns 0 LLM tokens safe / review / block
→ tools/call analyze_sticky_notes
{
  "summary": {
    "suspiciousCount": 1,
    "maxSuspicionScore": 0.75,
    "recommendation": "manual_review"
  },
  "notes": [{
    "flags": [
      "instruction_override",
      "system_role_claim"
    ],
    
  }]
}
/ 03 — IN ACTION

What it looks like
when an agent uses it.

A real round-trip: Claude pastes a workflow, hits the validator, gets back exact nodes[i].parameters.x coordinates, patches the field, re-validates. No guessing, no hallucinated schemas, no token-cost loop.

~3s end-to-end
You

Validate this n8n workflow before I deploy it:

{
  "name": "Hourly user sync",
  "nodes": [
    { "name": "Schedule", "type": "n8n-nodes-base.scheduleTrigger", /* … */ },
    { "name": "Fetch users", "type": "n8n-nodes-base.httpRequest", "typeVersion": 4.2,
      "parameters": { "method": "GET" } },
    { "name": "Save to DB", "type": "n8n-nodes-base.set", /* expression below */ }
  ],
  "connections": { /* … */ }
}
Claude

I'll run it through the n8n-flow-auditor MCP server.

tools/call
{ "name": "validate_workflow", "arguments": { "workflow": {...} } }
result
{
  "valid": false,
  "errors": [
    {
      "code": "MISSING_PARAMETER",
      "message": "Required parameter 'url' (string) missing in 'Fetch users'.",
      "nodeName": "Fetch users",
      "parameterPath": "nodes[1].parameters.url"
    }
  ],
  "warnings": [
    {
      "code": "MISSING_EXPRESSION_PREFIX",
      "message": "Expression `{{ $json.userId }}` missing '=' prefix",
      "nodeName": "Save to DB",
      "parameterPath": "nodes[2].parameters.values.string[0].value"
    }
  ]
}
Claude

Two issues. One blocks the deploy:

1. ErrorFetch users (HTTP node) is missing the required url parameter at nodes[1].parameters.url.
2. WarningSave to DB uses {{ $json.userId }} without the = prefix; n8n won't evaluate it as an expression.

Patching both:

-     "parameters": { "method": "GET" }
+     "parameters": { "method": "GET", "url": "https://api.example.com/users" }

-     "value": "{{ $json.userId }}"
+     "value": "={{ $json.userId }}"

Re-validating…

result
{ "valid": true, "errors": [], "warnings": [] }
Claude

Workflow is now valid. Both fixes were exact — the validator pointed at the precise field paths, no guessing required.

✓ ready to deploy
No tokens spent on validation. The MCP tool is pure JS — only Claude's reasoning over the structured response uses tokens. Same flow in Cursor / Continue / Cline. Any MCP-compliant client gets the same round-trip.
/ 04 — LIVE DEMO

Paste, validate, ship.

Try it on the example workflows below. Calls POST /validate directly from your browser — public endpoint, WAF rate-limited, no auth required for one-off checks.

POST /validate
workflow.json — lines
Validator output
Pick a preset and hit ▶ Validate
/ 05 — COMPARISON

What you'd otherwise wire by hand.

The official SDK ships the trigger-detection primitives. Everything else — schema enforcement, hardcoded-credential heuristics, expression-syntax checks, edge-runtime compatibility — you'd build yourself. We did.

35 matches + 1 win
Capability
@n8n/workflow-sdk
n8n-flow-auditor
Trigger / disconnected detection
✓ built-in
✓ built-in
Node-type schema validation
requires setSchemaBaseDirs()manual provider wiring
✓ 66 types / 245 versions
Sub-node connection validation
requires nodeTypesProvider
✓ built-in
Hardcoded credential detection
— not covered
✓ Bearer / sk- / xox / AKIA / AIza
Filter / IF / Switch shape
— not covered
✓ FILTER_MISSING_*, SWITCH_*
Expression syntax (=prefix, $json paths)
— not covered
✓ MISSING_EXPRESSION_PREFIX
Date method misuse (Luxon)
— not covered
✓ flagged with hint
Sticky-note prompt-injection check
— not covered
analyze_sticky_notes
Edge runtime compatible
isolated-vm needs native build
✓ pure JS · runs on Workers
Regression suite
n/a
✓ 36 workflows · CI gates <95%
35/36 + 1 win. 35 cases match the SDK exactly. The 36th: we catch MISSING_EXPRESSION_PREFIX — a real bug the SDK silently ignores. Zero false positives. Full schema reference in the OpenAPI docs.
/ 06 — QUICKSTART

Three steps. Ninety seconds.

Connect from Claude Desktop. Cursor and other MCP-aware clients use the same URL. First call opens GitHub OAuth in your browser; the 30-day token is cached after that.

~90s setup
STEP 01 / EDIT

Open your config

Find or create the Claude Desktop config file. Same path on macOS and Linux; Windows uses %APPDATA%.

$ code ~/.claude/claude_desktop_config.json
STEP 02 / ADD SERVER

Drop in the MCP entry

Same URL across MCP-aware clients. The OAuth handshake fires on first call.

// ~/.claude/claude_desktop_config.json   (macOS / Linux)
// %APPDATA%\Claude\claude_desktop_config.json   (Windows)
{
  "mcpServers": {
    "n8n-flow-auditor": {
      "url": "https://n8n-auditor.automators.work/mcp"
    }
  }
}
// ~/.cursor/mcp.json   (or Cursor → Settings → MCP)
{
  "mcpServers": {
    "n8n-flow-auditor": {
      "url": "https://n8n-auditor.automators.work/mcp"
    }
  }
}
// ~/.continue/config.json
// (under experimental.modelContextProtocolServers)
{
  "experimental": {
    "modelContextProtocolServers": [{
      "transport": {
        "type": "streamable-http",
        "url": "https://n8n-auditor.automators.work/mcp"
      }
    }]
  }
}
// VS Code → Cline → MCP Servers panel
// Or edit cline_mcp_settings.json directly:
{
  "mcpServers": {
    "n8n-flow-auditor": {
      "url": "https://n8n-auditor.automators.work/mcp",
      "disabled": false
    }
  }
}
STEP 03 / SIGN IN & ASK

Restart and prompt

Restart Claude Desktop. The first invocation opens GitHub for sign-in; authorize once and you're done.

// in Claude Desktop:
 validate this n8n workflow:
 { "nodes": [...], "connections": {...} }

✓ tool called: validate_workflow
✓ 3 issues surfaced
Authentication. The /mcp endpoint is gated by OAuth 2.1 self-hosted with GitHub as upstream IdP. First connection opens a browser; subsequent calls use a 30-day token automatically. The public /validate REST endpoint accepts unauthenticated calls but is rate-limited at the edge by Cloudflare WAF (10 req per 10s window per IP). Need higher quota? Authenticate over MCP for per-user limits.