ClawHub

skill n8n by Dr. FIRAS

v1.0.0

AI-powered n8n workflow builder and deployer by Dr. FIRAS. Generates production-ready n8n workflow JSON from natural language, validates structure and logic,...

0· 154·0 current·0 all-time
byDr FIRAS@drfirass
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, SKILL.md, and the three Python modules (forge, inspector, deploy) all align: they generate, validate, and push n8n workflow JSON. The required env vars (N8N_API_KEY, N8N_BASE_URL) are appropriate and expected.
Instruction Scope
SKILL.md restricts operations to building, validating, and deploying workflows and references only the provided scripts. It does instruct the agent to offer automatic deployment when N8N_API_KEY is configured and to 'generate every node with real, configured parameters' — which means the agent could produce nodes containing credential references or sensitive endpoints. Review generated JSON before pushing.
Install Mechanism
No install spec; code is instruction+Python stdlib scripts. No downloads, no third-party package installs. Low install risk.
Credentials
Only N8N_API_KEY and N8N_BASE_URL are required and declared (N8N_API_KEY is primary). This is proportional for a deployer. However SKILL.md suggests storing the key in OpenClaw settings (~/.config/openclaw/settings.json), which persists the secret on disk in config — consider using the platform's secret management or a dedicated limited-scope API key.
Persistence & Privilege
always:false and no requests to modify other skills or system-wide settings. The skill can be invoked autonomously (platform default), and with the API key present it can deploy workflows — that combination is expected for a deployer but means you should control when/which workflows are pushed.
Assessment
This package appears to do what it says: build, validate, and push n8n workflows. Before enabling it: (1) do not give it your primary production API key — create a limited-scope or staging n8n API key for testing; (2) review any generated workflow JSON (particularly 'credentials' blocks and node 'parameters') before running push/activate; (3) avoid storing secrets in plaintext settings.json if your environment is sensitive — prefer the platform secret store if available; (4) consider requiring manual confirmation for deployments so the agent cannot auto-deploy changes unexpectedly; (5) optionally audit the scripts locally (they use only urllib/stdlib) — there are minor code typos in truncated parts but nothing indicating hidden endpoints or exfiltration. Overall the skill is internally coherent, but exercise usual caution with API keys and automatic deployment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ehs2b7fjnxn1bc0aj6eskw183svjw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🚀 Clawdis
EnvN8N_API_KEY, N8N_BASE_URL
Primary envN8N_API_KEY

Comments