OpenClaw n8n Orchestrator
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is coherent documentation and templates for connecting OpenClaw to n8n, but it enables powerful webhook and gateway access that should only be used with trusted, well-scoped n8n deployments.
This looks like a legitimate n8n/OpenClaw integration helper rather than a hidden or malicious skill. Before using it, verify the publisher/source, pin install versions where possible, keep Gateway and n8n endpoints private or strongly authenticated, restrict direct tool invocation, and only connect workflows that you trust to send data or instructions back into your agent.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled too broadly, an n8n workflow could trigger OpenClaw tools without a normal conversational review step.
The skill documents a Gateway path that lets n8n directly invoke OpenClaw tools. The text also notes allowlisting, so this is disclosed and purpose-aligned, but powerful.
POST /tools/invoke — Direct tool invocation bypassing the conversational LLM ... Important: The tool must be allowlisted by the Gateway's policy chain.
Only allowlist the specific tools each workflow needs, keep Gateway authentication enabled, and require human approval for high-impact tools.
Anyone with the webhook URL and secret may be able to trigger configured n8n workflows.
Generated webhook skills rely on a shared n8n webhook secret. This is expected for authentication and is disclosed, with no evidence of hardcoding or leakage.
: "${N8N_WEBHOOK_SECRET:?Error: N8N_WEBHOOK_SECRET environment variable not set}" ... -H "x-webhook-secret: ${N8N_WEBHOOK_SECRET}"Store webhook secrets in environment variables or a secret manager, rotate them periodically, and avoid embedding them in generated skill files or logs.
Future upstream changes or a compromised install endpoint could alter what gets installed.
The deployment guide includes user-directed unpinned install methods and a remote shell install pattern. This is setup documentation, not automatic execution, but it depends on trusted upstream sources.
OpenClaw installed via `npm install -g openclaw@latest` or `curl -fsSL https://openclaw.ai/install.sh | bash`
Prefer pinned versions, reviewed install scripts, checksums, and controlled container/image registries for production deployments.
A compromised or poorly designed n8n workflow could send misleading instructions or persistent context into the agent.
The Gateway ingress design can inject content and instructions into an agent session and preserve history by session key. This is central to n8n ingress, but it affects agent context.
`instructions` | string | No | Merges dynamically into the system prompt for this request ... The `user` parameter drives session persistence.
Treat n8n workflow outputs as untrusted input unless validated, avoid passing arbitrary external text as instructions, and separate session keys for different workflows or users.
If deployed, OpenClaw and n8n will keep running until explicitly stopped or reconfigured.
The optional deployment template creates persistent services that restart automatically. This is normal for a production stack and is clearly visible in the template.
openclaw: ... restart: unless-stopped ... n8n: ... restart: unless-stopped
Use this only for intended long-running deployments, review exposed ports, and stop or remove the containers when no longer needed.