ClawHub

n8n Automation

v0.1.0

Manage n8n workflows from OpenClaw via the n8n REST API. Use when the user asks about n8n workflows, automations, executions, or wants to trigger, list, create, activate, or debug n8n workflows. Supports both self-hosted n8n and n8n Cloud instances.

9· 4.8k·38 current·40 all-time
by@dilomcfly
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (manage n8n via REST API) aligns with the runtime instructions which use the n8n REST endpoints for listing, triggering, creating, activating, and debugging workflows. However, the skill expects an N8N_API_URL and N8N_API_KEY in SKILL.md while the registry metadata declares no required environment variables or primary credential — this metadata omission is inconsistent with the skill's needs.
!
Instruction Scope
SKILL.md's instructions stay within n8n API operations (curl calls, webhook triggers, execution inspection). BUT the instructions require environment variables (N8N_API_URL, N8N_API_KEY) and suggest storing them in a local file (.n8n-api-config) even though the registry metadata does not advertise these requirements. That mismatch means an agent or user may not be warned that sensitive credentials are needed, and the guidance to persist the API key in a file increases the risk of accidental exposure.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to write to disk. That minimizes installation risk (no downloads or extracted archives).
!
Credentials
The skill requires an n8n API key (per SKILL.md) which the docs note 'has full access on non-enterprise plans.' Requesting a single API key for the service is proportionate to the functionality, but the metadata failing to declare it and the suggestion to persist the key in plaintext are problematic. There is no explicit support for least-privilege credentials or scoped tokens; users are not warned about the key's broad privileges.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and is user-invocable only. It does recommend storing credentials locally, but it does not ask for platform-level persistence or elevated agent privileges.
What to consider before installing
This skill appears to do what it says (manage n8n via its API) but the package metadata omits the fact that it needs an N8N_API_URL and N8N_API_KEY. Before installing or using it: (1) only provide an API key to a skill you trust — n8n API keys can have full access; prefer a scoped or service account if possible, and rotate keys afterward; (2) avoid storing the API key in plaintext on shared systems; use a secrets manager or per-session env vars; (3) confirm the skill's source/owner (no homepage/source provided) and ask the publisher to update metadata to declare required env vars; (4) review any workflow JSON you upload/create to ensure it does not include sensitive credentials; and (5) treat webhook triggers as unauthenticated endpoints and ensure triggering them is safe. Because of the metadata mismatch and credential-handling guidance, proceed only after you verify the skill's provenance and consider limiting the key's scope.

Like a lobster shell, security has layers — review code before you run it.

latestvk975h06bng2f8jq2z15encfr4x809ara

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments