ClawHub

NPM for N8N Nodes

v1.0.0

Build, structure, and publish npm packages for n8n custom community nodes. Use this skill whenever the user wants to create a custom n8n node, publish a node...

0· 35·0 current·0 all-time
by@encryptshawn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletRequires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the included files: a full set of templates, examples, and publishing guidance for n8n node packages. There are no unrelated binaries, credentials, or installs requested — everything is appropriate for scaffolding, testing, and publishing n8n nodes.
Instruction Scope
SKILL.md and reference docs only instruct on node structure, local testing (npm link, Docker mounting ~/.n8n), building, linting, and publishing to npm/GitHub Actions. These are in-scope for the stated purpose. Two minor notes: (1) debugging snippets suggest logging credential objects (console.log(JSON.stringify(credentials,...)) — useful for debugging but can leak secrets to logs if left in published code; (2) instructions show mounting or accessing ~/.n8n for local testing which is expected but grants access to local n8n data during development and should be used carefully.
Install Mechanism
No install spec — instruction-only skill. Nothing is downloaded or written to disk by the skill itself, which is the lowest-risk install mechanism.
Credentials
The skill does not request environment variables or credentials itself. It documents standard publishing workflows that use NPM_TOKEN or GitHub Actions secrets for npm publishing/provenance — those are appropriate and proportional to the described publish process.
Persistence & Privilege
always:false and user-invocable:true. The skill does not request persistent agent privileges nor instruct modifying other skills or global agent settings.
Assessment
This is a coherent, documentation-only skill for building and publishing n8n nodes. It's safe to read and use, but follow best practices: remove any console.log debugging that prints credentials before publishing, keep your NPM/GitHub tokens stored only in repository secrets (or use npm Trusted Publishers), avoid mounting or exposing your real ~/.n8n directory on untrusted machines, ensure dist/ is built in CI before publishing, and review the package contents (package.json, n8n.nodes/credentials entries, compiled dist/) before publishing to npm. If you want extra assurance, inspect the code you compile (dist/) and the GitHub Actions workflow that will publish the package.

Like a lobster shell, security has layers — review code before you run it.

latestvk979p0dgfk4ecz75849sq497cd848qc1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments