N8n Operator
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its n8n workflow-management purpose, but it includes instructions for persistent OpenClaw cron jobs and broad n8n account control that users should review carefully.
Install only if you are comfortable giving the agent API-level control over your n8n instance. Review generated workflows before activation, be especially cautious with delete/execute/credential operations, and do not allow OpenClaw cron-job creation unless you explicitly want persistent scheduled triggering and know how to remove it.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can change or remove workflows and trigger automations that may call other systems.
The skill explicitly exposes mutating workflow operations, including delete, activate, deactivate, and execute. This is expected for an n8n operator, but it can materially affect automations.
工作流管理 ... 创建 POST /workflows ... 更新 PUT /workflows/{id} ... 删除 DELETE /workflows/{id} ... 激活 POST /workflows/{id}/activate ... 执行 POST /workflows/{id}/executeUse it only with the intended n8n instance, review workflow IDs and generated JSON, and require explicit confirmation for delete, activation, execution, or production changes.
Anyone or any agent using this key may be able to inspect and mutate n8n workflows and related resources allowed by that key.
The skill requires an n8n API key and uses it for REST API calls. This is expected for the integration, but the key delegates access to the n8n account.
N8N_BASE_URL=http://localhost:5678 N8N_API_KEY=<your-api-key> ... X-N8N-API-KEY: <N8N_API_KEY>
Use the least-privileged API key available, prefer a test n8n instance first, avoid sharing the key in chat or logs, and rotate it if exposed.
Workflows may be connected to third-party services such as Slack, email, databases, or APIs, expanding the effect of mistakes or unsafe workflow designs.
The skill documents n8n credential-management API operations. Credential creation/listing can be necessary for workflows, but it touches sensitive integration authority.
凭证管理 ... 列表 GET /credentials ... 创建 POST /credentials
Confirm every credential use, avoid storing unnecessary third-party secrets, and ensure generated workflows reference only approved credential IDs.
A scheduled job could continue triggering workflows after the original chat is over, potentially causing repeated external actions or unexpected automation runs.
The skill instructs direct modification of OpenClaw's cron configuration to create scheduled webhook triggers. That creates persistent behavior outside the n8n API and the provided text does not show clear approval, cleanup, or scoping safeguards.
Gateway Cron 自动触发 n8n Webhook ... 方法:直接编辑 jobs.json 文件 ... C:\Users\lujun\.openclaw\cron\jobs.json ... 添加 cron 任务,通过 `curl.exe POST` 触发 n8n webhook URL
Only allow cron-job creation after explicit approval, inspect the exact jobs.json change, use a clearly named job, define how to disable it, and prefer n8n's own Schedule Trigger when possible.
If followed, n8n workflows could write files to the host Desktop, and container-level mistakes could have broader effects than a least-privilege setup.
The reference recommends mounting a host Desktop directory into n8n and running the container as root for file-writing workflows. It also includes a path restriction, but the setup still increases local file-write and privilege exposure.
volumes: - C:/Users/lujun/Desktop:/home/node/desktop # 关键:桌面映射 user: "0:0" # 关键:解决权限冲突 N8N_RESTRICT_FILE_ACCESS_TO=/tmp;/home/node/desktop
Use a dedicated non-sensitive output directory instead of the Desktop, avoid running the container as root if possible, and keep n8n file access restricted to the smallest needed path.