n8n工作流自动化
WarnAudited by ClawScan on May 14, 2026.
Overview
This skill is mostly aligned with n8n workflow management, but it can modify and activate workflows with a sensitive API key, including one command that may overwrite an existing workflow without a clear safety check.
Install only if you are comfortable giving this code an n8n API key. Use a trusted n8n URL, back up workflows before import or scheduling, avoid the schedule command unless you have reviewed its behavior, and verify actual templates because the implementation appears much smaller than advertised.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the scheduling command could break or overwrite an existing workflow and leave it active, disrupting automations or business processes.
The schedule command updates an existing n8n workflow with a replacement node list containing only a cron trigger and activates it, with no confirmation, backup, or preservation of the existing workflow graph shown.
workflow_data = {"name": args.workflow, "nodes": [{"type": "n8n-nodes-base.cron", "name": "定时触发", "parameters": {"cronExpression": args.cron}}], "active": True}
response = requests.patch(f"{args.url.rstrip('/')}/api/v1/workflows/{workflow_id}", headers=headers, json=workflow_data, timeout=30)Back up workflows before using this command; the skill should fetch and preserve existing nodes/connections, show a dry-run diff, require explicit confirmation, and avoid auto-activation by default.
A newly imported workflow may be enabled before the user has reviewed credentials, destinations, recipients, or other configuration.
The import command creates workflows as active while its own message tells the user to modify configuration and then enable them, indicating an unsafe or contradictory default.
"active": True
...
print("ℹ️ 请打开工作流修改配置信息(比如账号密码、地址等)后启用")Imported workflows should default to inactive until the user reviews and explicitly enables them.
Anyone with the API key could potentially read or change workflows in the targeted n8n instance.
The tool requires an n8n API key and uses it to create, export, patch, and monitor workflows. This is expected for the stated purpose, but it is high-impact account authority.
headers = {"X-N8N-API-KEY": args.api_key, "Content-Type": "application/json"}
import_parser.add_argument("--api-key", required=True, help="n8n API Key")Use a trusted n8n URL only, prefer the least-privileged API key available, avoid sharing the key in chat logs, and rotate it if exposed.
Workflow names and error text could be posted to a chat robot or webhook destination outside n8n.
The monitor command can send workflow names and error messages to a user-supplied webhook. This is purpose-aligned alerting, but those messages may contain operational details.
content += f"- 工作流:{exec['workflow']['name']}\n 错误:{exec['error']['message']}\n"
requests.post(args.webhook, json={"msgtype": "text", "text": {"content": content}})Only use trusted webhook URLs and avoid sending sensitive error details to broadly visible chat channels.
Users have limited provenance information for the CLI code and may need to resolve dependencies themselves.
The artifacts do not include a provenance source or installer. The visible Python file reduces hidden-install risk, but users still need to trust and run local code manually.
Source: unknown Homepage: none Install specifications: No install spec — this is an instruction-only skill.
Inspect the included Python file before running it and prefer a verified source, pinned dependencies, and documented installation steps.
Users may grant an n8n API key expecting a mature workflow library, but the delivered functionality appears much narrower.
The source defines only a small set of templates and many have empty node lists, which does not support the SKILL.md claim of hundreds of ready-to-use templates and backup/restore-style functionality.
WORKFLOW_TEMPLATES = { ... "日报/周报自动生成": {"name": "日报/周报自动生成", "description": "自动汇总工作记录、生成日报周报、定时发送给上级", "nodes": []}, ... "定时提醒任务": {"name": "定时提醒任务", "description": "支持自定义时间提醒,比如生日提醒、待办提醒、还款提醒等", "nodes": []} }Treat the advertised template coverage cautiously, inspect the actual templates before importing, and ask the publisher to align claims with implemented functionality.