n8n API
v1.0.1Operate n8n via its public REST API from OpenClaw. Use for workflow management, executions, and automation tasks such as listing, creating, publishing, triggering, or troubleshooting. Works with both self-hosted n8n and n8n Cloud.
⭐ 3· 3.4k·12 current·12 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md content is coherent with the name/description: it shows curl examples, endpoints, and flows for managing n8n workflows and executions. However the registry metadata lists no required environment variables or binaries while the instructions clearly expect N8N_API_KEY and N8N_API_BASE_URL (and implicitly curl and jq). That metadata omission is inconsistent with the skill's practical needs.
Instruction Scope
Instructions stay within the expected scope (calling the n8n API, listing/activating workflows, triggering webhooks, reviewing executions). They instruct the agent to use environment variables and optionally store them in a file (.n8n-api-config). The skill runs commands against production data (playground on self-hosted instance uses real data), so callers should avoid using production API keys for experiments. No instructions request unrelated system files or unrelated credentials.
Install Mechanism
This is instruction-only (no install spec, no code files to execute). That is low-risk from an install-bytes perspective — nothing is fetched or written by an installer. The runtime risk comes from network/API access guided by the SKILL.md, not from an install step.
Credentials
The skill relies on a sensitive credential (N8N_API_KEY) and an instance URL, but the registry metadata lists no required env vars or primary credential. That mismatch is concerning because the platform metadata does not surface the need to provide an API key. The instructions also suggest storing credentials in a file (.n8n-api-config) which, if used without care, could lead to plaintext credential exposure. No other unrelated secrets are requested.
Persistence & Privilege
The skill does not request always:true and does not declare persistent system-wide changes. The only persistence suggestion is storing recommended env vars in a local config file; it does not instruct modifying other skills or global agent settings. Model invocation is allowed (default) — normal for skills — and does not on its own change the risk posture.
What to consider before installing
This skill appears to be a straightforward n8n REST-API helper, but there are some practical omissions in the package metadata you should address before installing: (1) Verify the skill's source/owner — no homepage and an opaque owner ID increases risk. (2) Expect to provide N8N_API_KEY and N8N_API_BASE_URL at runtime; do not use an account-wide admin key if you can avoid it — create a limited-permission API key or test account. (3) The SKILL.md assumes curl and jq are available; ensure those binaries exist in the execution environment or the commands will fail. (4) Be cautious about storing the API key in plaintext (.n8n-api-config) — prefer environment-only injection or a secrets store. (5) Test the skill against a non-production n8n instance or a scoped test API key first, since the instructions operate on real data and can activate/deactivate workflows or retry executions. (6) If you want stronger assurances, ask the publisher to update registry metadata to declare required env vars and any required binaries so the platform can surface the credential requirement up front.Like a lobster shell, security has layers — review code before you run it.
latestvk97cnx3975g1e7k85afkm8cvc180bedx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.