ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Homeassistant N8n Agent

v1.0.4

Bridge OpenClaw with your n8n instance for Home Assistant automation.

0· 2.6k·7 current·7 all-time
by@enchantedmotorcycle
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description (bridge OpenClaw to n8n for Home Assistant) align with the instructions: it only requires curl and explains how to POST JSON to an n8n webhook on localhost. Nothing requested appears unrelated to the stated purpose.
Instruction Scope
SKILL.md instructs the agent to POST user chat text and a requestType to a localhost n8n webhook — this is within scope. Notes: examples include a hard-coded webhook UUID and fixed sessionId, and several example JSON snippets have syntax errors (missing quotes around some values). The instructions do not mention authentication, verification of the webhook URL, or how to configure a different host, so the agent will rely on a specific local endpoint being present.
Install Mechanism
There is no install specification and no code files — lowest-risk pattern. The skill relies on the curl binary which is declared in metadata and matches the usage in SKILL.md.
Credentials
The skill declares no environment variables or credentials and the runtime instructions do not reference any secrets. That is proportionate for a skill that simply posts to a local webhook.
Persistence & Privilege
The skill is instruction-only and does not request persistent presence or elevated privileges. always is false and autonomous invocation is allowed by default (normal for skills); there is no indication it modifies other skills or system-wide settings.
Assessment
This skill is coherent with its stated purpose, but review these before installing: - Ensure you have an n8n webhook matching the hard-coded URL (http://localhost:5678/webhook/05f3f217-08b9-42de-a84a-e13f135bde73) or update the skill to point to your webhook. The SKILL.md provides no mechanism to configure the webhook URL. - The examples contain JSON syntax errors — the agent should construct valid JSON when calling the webhook. - The skill will forward user-provided chat text to the n8n webhook. Make sure the n8n instance is trusted and not exposed publicly if you care about privacy; consider adding authentication on the webhook. - Test with non-sensitive inputs first to confirm the workflow behavior in n8n and that the webhook triggers the intended Home Assistant automations. - Prefer a version of the skill that accepts a configurable webhook URL (via an environment variable or skill setting) and documents authentication if you plan to expose n8n beyond localhost.

Like a lobster shell, security has layers — review code before you run it.

latestvk973h99v73e7q55q3g4he35qh180zg0q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🤖 Clawdis
Binscurl

Comments