OpenClaw n8n Orchestrator
WarnAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate n8n integration skill, but it deserves review because it can configure n8n to feed instructions back into OpenClaw and directly invoke tools if enabled.
Install only if you intentionally want n8n to act as a trusted orchestration layer for OpenClaw. Before use, restrict Gateway tokens and tool allowlists, avoid `/tools/invoke` unless essential, do not let untrusted workflow data become agent instructions, keep the Gateway off the public internet, and pin or verify deployment dependencies.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A workflow could inject instructions that change what the agent does, not just provide workflow results.
The documented ingress API allows n8n-supplied instructions to become prompt-level guidance for the agent. If an n8n workflow processes untrusted input or is compromised, this can redirect the agent's behavior.
`instructions` ... `Merges dynamically into the system prompt for this request`
Do not pass untrusted workflow text into the `instructions` field. Prefer fixed, audited instructions, restrict which workflows can call the Gateway, and require human approval for sensitive follow-up actions.
A misconfigured or compromised n8n workflow with Gateway access could trigger tools or file operations without the normal conversational review path.
The reference includes a powerful escape-hatch endpoint for n8n to invoke OpenClaw tools directly, including file-operation use cases. Although allowlisting is mentioned, the artifacts do not require per-action human confirmation or narrow workflow-specific permissions.
`POST /tools/invoke` — Direct tool invocation bypassing the conversational LLM ... `Use case from n8n`: Red-team testing, direct file operations
Disable `/tools/invoke` unless strictly needed, allowlist only specific low-risk tools, separate tokens per workflow, and require explicit user approval for file, shell, account, or deployment mutations.
Anyone who obtains the webhook secret may be able to trigger the corresponding n8n workflows.
The generated webhook trigger uses a shared secret to authenticate to n8n. This is expected for the integration and is disclosed, but it is still a credential boundary users must protect.
Environment variables accessed: N8N_WEBHOOK_URL, N8N_WEBHOOK_SECRET (only) ... -H `x-webhook-secret: ${N8N_WEBHOOK_SECRET}`Store webhook secrets in environment variables or a secret manager, rotate them periodically, and avoid logging request headers or generated command lines containing secrets.
User data included in webhook payloads may be processed, logged, or forwarded by the configured n8n workflows and integrations.
The generated skills intentionally send agent payloads to n8n and trust n8n responses. This is disclosed and purpose-aligned, but it creates an inter-agent/data boundary the user must trust.
By using this skill, data is sent to your configured n8n instance. Only install if you trust your n8n deployment and its configured integrations.
Use only trusted n8n instances, review workflow nodes and execution logging, minimize payload contents, and avoid sending secrets or private documents unless necessary.
Following these examples without verification could install changed or unreviewed software later.
The deployment guide includes user-directed remote install and latest-version examples. They are not automatically executed by the skill, but they are supply-chain-sensitive setup choices.
OpenClaw installed via `npm install -g openclaw@latest` or `curl -fsSL https://openclaw.ai/install.sh | bash`
Pin versions or image digests where possible, verify install scripts before running them, and use production change control for OpenClaw and n8n upgrades.