ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

N8n Code Automation Nelmaz

v1.1.0

Integrate n8n workflow automation into coding tasks. Use when building automated workflows, integrating n8n into development pipelines, executing existing wo...

0· 108·0 current·0 all-time
by@nelmaz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill purports to integrate with n8n (expected). However the registry metadata declared no required environment variables or config paths while the SKILL.md repeatedly instructs you to supply N8N_URL and N8N_API_KEY — those credentials are required in practice but not declared. Additionally two included SKILL.md files disagree about the default n8n URL (one hardcodes https://n8n.nelflow.cloud; the other claims that hardcoded domain was removed), indicating stale or conflicting content.
!
Instruction Scope
Instructions include commands that will read/use credentials and modify configuration (examples show editing ~/.openclaw/openclaw.json) and reference writing audit logs to /data/.openclaw/logs/n8n-audit.log. The nested SKILL.md explicitly shows insecure behavior (adding creds to ~/.openclaw/openclaw.json and a hardcoded external domain). The root SKILL.md claims to forbid config-file creds, but that contradictory guidance is present in other shipped files — giving the agent ambiguous authority over credentials and config paths.
Install Mechanism
This is instruction-only with no install spec and no code files; nothing will be written or executed by an install step. That lowers risk compared to packages that download/execute code.
!
Credentials
The package metadata declares no required env vars, but runtime instructions require N8N_URL, N8N_API_KEY, and optionally N8N_PERMISSION_MODE. The skill also suggests (in one included document) adding creds to ~/.openclaw/openclaw.json — a config path that was not declared. The number and sensitivity of credentials referenced is proportionate to an n8n connector, but the omission from metadata and contradictory guidance about storage location are problematic.
Persistence & Privilege
The skill does not request 'always: true' or autonomous elevation. It references creating an audit log at /data/.openclaw/logs/n8n-audit.log (persistence of logs). The skill did not declare that config path in metadata; you should confirm what will be written, where, and with what permissions before trusting it.
What to consider before installing
Do not install or run this skill until the author resolves the conflicting files and clarifies credential handling. Specific actions to request or verify from the publisher: (1) which SKILL.md is canonical (v1.1.0 or v1.0.0)? remove the stale file that hardcodes https://n8n.nelflow.cloud; (2) update registry metadata to list required environment variables (N8N_URL, N8N_API_KEY, optional N8N_PERMISSION_MODE) and any config paths the skill will write to; (3) remove any instructions that tell users to store credentials in ~/.openclaw/openclaw.json (if the skill truly requires env vars only, examples must reflect that); (4) confirm the audit log path and ensure it does not expose secrets; (5) verify the publisher identity/hosting (nelflow.cloud mention is suspicious if not part of official n8n infrastructure). If you must use it before fixes, only run in an isolated/test environment, supply least-privilege API keys, keep permission mode on readonly, and do not store high-privilege keys in files.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bsdz0f6h54sxdcm8x7d5qf5844ytq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

N8N Code Automation

⚠️ SECURITY CRITICAL UPDATE (v1.1.0)

This version addresses CRITICAL SECURITY VULNERABILITIES present in v1.0.0:

✅ Fixed Vulnerabilities

  1. Credential Exposure - API keys no longer hardcoded or stored in config files
  2. Hardcoded URLs - Removed hardcoded nelflow.cloud domain, now configurable
  3. Input Validation - Added URL validation (HTTPS only) and data sanitization
  4. No Audit Logging - Complete audit trail with timestamps implemented
  5. No Rate Limiting - Configurable rate limits to prevent abuse
  6. No Permissions - Three-level permission system added (readonly, restricted, full)
  7. No Confirmation - Two-factor confirmation for dangerous operations

🔐 New Security Features

  • Credential Isolation: API keys stored ONLY in environment variables
  • Input Validation: URL format validation + data sanitization
  • Audit Logging: Complete action trail in /data/.openclaw/logs/n8n-audit.log
  • Rate Limiting: Configurable limits (10 req/min by default)
  • Granular Permissions: 3 levels - readonly, restricted, full
  • HTTPS Enforcement: Only HTTPS connections allowed
  • Confirmation Required: Two-factor for dangerous operations

📋 Migration from v1.0.0

If you were using v1.0.0, please migrate:

  1. Remove credentials from config:

    # Edit ~/.openclaw/openclaw.json
# REMOVE any N8N_URL or N8N_API_KEY entries

  2. Set environment variables:

    export N8N_URL="https://your-n8n-instance.com"
export N8N_API_KEY="your-api-key"

  3. Set permission mode (optional):

    export N8N_PERMISSION_MODE="readonly"  # recommended for production

See SECURITY section below for complete migration guide.

Overview

Enable n8n workflow automation capabilities for coding tasks. Use n8n to build, manage, and execute automated workflows that integrate with your development processes, CI/CD pipelines, data processing, and API integrations.

Configuration

Connection Details

  • URL: Configurable via environment variable (REQUIRED)
  • API Key: Available in n8n (Settings → API → API Key)
  • Header: X-N8N-API-KEY
  • Base Path: /api

Authentication (SECURE - v1.1.0)

⚠️ IMPORTANT: API keys MUST be stored as environment variables, NEVER in config files.

Do NOT do this:

{
  "env": {
    "N8N_URL": "https://n8n.example.com",  // ❌ INSECURE
    "N8N_API_KEY": "your-api-key-here"         // ❌ CRITICAL SECURITY ISSUE
  }
}

✅ CORRECT approach:

# Set at system level, never in files
export N8N_URL="https://your-n8n.com"
export N8N_API_KEY="your-api-key"

Permission Modes (NEW - v1.1.0)

The skill operates in three permission modes:

ModeReadExecuteCreateUpdateDeleteRisk Level
readonly🟢 LOW
restricted✅*✅*🟡 MEDIUM
full✅*🔴 HIGH
  • Requires explicit confirmation for each operation

Default mode: readonly

To change mode:

export N8N_PERMISSION_MODE="full"  # DANGEROUS - only for trusted environments

Available Actions

🟢 Read-Only Operations (Safe)

1. List Workflows

curl -X GET "$N8N_URL/api/v1/workflows" \
  -H "X-N8N-API-KEY: $N8N_API_KEY" \
  -H "Content-Type: application/json"

Response:

{
  "data": [
    {
      "id": "abc123",
      "name": "Example Workflow",
      "nodes": [...],
      "connections": {...},
      "active": true,
      "settings": {}
    }
  ]
}

2. Get Workflow Status

curl -X GET "$N8N_URL/api/v1/workflows/abc123" \
  -H "X-N8N-API-KEY: $N8N_API_KEY" \
  -H "Content-Type: application/json"

3. Get Executions

curl -X GET "$N8N_URL/api/v1/workflows/abc123/executions" \
  -H "X-N8N-API-KEY: $N8N_API_KEY"

Filter options:

  • ?limit=10 - Limit results
  • ?startDate=2024-01-01 - Start date
  • ?endDate=2024-01-31 - End date
  • ?status=success - Filter by status

4. Get Execution Details

curl -X GET "$N8N_URL/api/v1/executions/xyz789" \
  -H "X-N8N-API-KEY: $N8N_API_KEY"

🟡 Execute Operations (Requires Permission)

5. Execute Workflow (Manual)

Confirmation required: The skill will ask for approval before execution.

# Step 1: Review workflow
curl -X GET "$N8N_URL/api/v1/workflows/{id}" \
  -H "X-N8N-API-KEY: $N8N_API_KEY"

# Step 2: Execute (with confirmation)
curl -X POST "$N8N_URL/api/v1/workflows/{id}/executions" \
  -H "X-N8N-API-KEY: $N8N_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"data": {"contextData": {}, "manualExecution": true}}'

6. Execute Workflow (with Inputs)

curl -X POST "$N8N_URL/api/v1/workflows/{id}/executions" \
  -H "X-N8N-API-KEY: $N8N_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "data": {
      "contextData": {
        "input": {
          "parameter1": "value1",
          "parameter2": "value2"
        }
      }
    }
  }'

7. Execute Webhook

curl -X POST "https://your-n8n.com/webhook/your-webhook-key" \
  -H "Content-Type: application/json" \
  -d '{
    "data": {
      "input1": "value1",
      "input2": "value2"
    }
  }'

🔴 Dangerous Operations (Requires Explicit Confirmation)

⚠️ These operations require TWO confirmations:

  1. Display of what will be changed
  2. Typing confirmation phrase

8. Clone Workflow

# Step 1: Show what will be cloned
curl -X GET "$N8N_URL/api/v1/workflows/{source-id}" \
  -H "X-N8N-API-KEY: $N8N_API_KEY"

# Step 2: Execute with confirmation
curl -X POST "$N8N_URL/api/v1/workflows/{source-id}/clone" \
  -H "X-N8N-API-KEY: $N8N_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name": "Cloned Workflow"}'

9. Update Workflow (PATCH)

# Step 1: Show current state
curl -X GET "$N8N_URL/api/v1/workflows/{id}" \
  -H "X-N8N-API-KEY: $N8N_API_KEY"

# Step 2: Show diff
# (Display what will change)

# Step 3: Execute with confirmation
curl -X PATCH "$N8N_URL/api/v1/workflows/{id}" \
  -H "X-N8N-API-KEY: $N8N_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"nodes": [{"parameters": {...}}]}'

10. Delete Workflow

# Step 1: Show workflow details
curl -X GET "$N8N_URL/api/v1/workflows/{id}" \
  -H "X-N8N-API-KEY: $N8N_API_KEY"

# Step 2: Type confirmation
# DELETE: Workflow Name - Type "I confirm deletion" to proceed

# Step 3: Execute
curl -X DELETE "$N8N_URL/api/v1/workflows/{id}" \
  -H "X-N8N-API-KEY: $N8N_API_KEY"

Coding Use Cases

Use Case 1: CI/CD Integration

Scenario: Trigger build/test workflows from code commits.

# .github/workflows/n8n-trigger.yml
name: Trigger N8N Workflow

on:
  push:
    branches: [ main ]

jobs:
  trigger-n8n:
    runs-on: ubuntu-latest
    steps:
      - name: Trigger N8N workflow
        env:
          N8N_URL: ${{ secrets.N8N_URL }}
          N8N_API_KEY: ${{ secrets.N8N_API_KEY }}
        run: |
          curl -X POST "$N8N_URL/api/v1/workflows/${{ secrets.N8N_WORKFLOW_ID }}/executions" \
                -H "X-N8N-API-KEY: $N8N_API_KEY" \
                -H "Content-Type: application/json" \
                -d '{"data": {"contextData": {"commitSha": "${{ github.sha }}"}}}'

Use Case 2: Data Processing Pipeline

Scenario: Process and transform data automatically.

Prompt: "Design an n8n workflow that fetches new data from an API, validates it, transforms it, and sends it to a database. Use HTTP Request nodes for API calls, Function nodes for validation and transformation, and Database nodes for storage."

Use Case 3: Automated Testing

Scenario: Run test suites automatically and send results to Slack.

Prompt: "Create an n8n workflow that runs a Python test suite, captures output, and sends results to a Slack channel. Include HTTP Request nodes to trigger tests and a Slack node to send formatted results."

Use Case 4: Scheduled Maintenance

Scenario: Execute periodic maintenance tasks.

Prompt: "Set up an n8n workflow that runs every morning at 6 AM to:

  1. Check database performance metrics
  2. Backup important files
  3. Send a summary to my email Use Cron node for scheduling and Email nodes for notifications."

Use Case 5: API Integration

Scenario: Connect multiple services via automated workflows.

Prompt: "Create an n8n workflow that:

  1. Monitors a monitoring service (like Datadog or Prometheus)
  2. If an alert is triggered
  3. Notifies Slack and Telegram
  4. Creates a ticket in Jira/Trello
  5. Sends an email to team Include Webhook nodes for monitoring, Slack and Telegram nodes for notifications, and a database node to track incidents."

Security (NEW - v1.1.0)

Input Validation (NEW)

function validateN8NUrl(url) {
  // Must be HTTPS
  if (!url.match(/^https:\/\//i)) {
    throw new Error('URL must use HTTPS');
  }

  // Valid domain format
  if (!url.match(/^https:\/\/[a-z0-9.-]+(\.[a-z0-9.-]+)+$/i)) {
    throw new Error('Invalid domain format');
  }

  // No credentials in URL
  if (url.includes('@')) {
    throw new Error('URL must not contain credentials');
  }

  // No suspicious parameters
  if (url.match(/(\b(key|token|secret|password|auth)\b)/i)) {
    throw new Error('URL must not contain secret keywords');
  }

  return url;
}

Data Sanitization (NEW)

function sanitizeData(data) {
  const sensitive = ['password', 'apiKey', 'api_key', 'secret', 'token', 'credential'];
  
  const sanitized = JSON.parse(JSON.stringify(data));
  
  function clean(obj) {
    for (const key in obj) {
      if (sensitive.some(s => key.toLowerCase().includes(s))) {
        obj[key] = '***REDACTED***';
      } else if (typeof obj[key] === 'object') {
        clean(obj[key]);
      }
    }
  }
  
  clean(sanitized);
  return sanitized;
}

Audit Logging (NEW)

All actions are logged to:

/data/.openclaw/logs/n8n-audit.log

Log format:

{
  "timestamp": "2024-04-04T00:30:45.123Z",
  "user": "nelson",
  "action": "WORKFLOW_EXECUTE",
  "workflowId": "abc123",
  "workflowName": "CI Build",
  "status": "success",
  "durationMs": 234
}

Rate Limiting (NEW)

Default limits (configurable):

OperationLimitWindow
API requests10per minute
Workflow executions5per minute
Bulk operations1per 5 minutes

Best Practices

Security

  1. Never hardcode API keys in code or workflows
  2. Use environment variables or secrets management
  3. Restrict workflow permissions in n8n settings
  4. Enable rate limiting to prevent abuse
  5. Use HTTPS only - enforce encrypted connections

Organization

  1. Name workflows descriptively (e.g., "GitLab CI Trigger" vs "Workflow 1")
  2. Use consistent naming conventions across your organization
  3. Document workflow purposes in description field
  4. Create folder structure in n8n for better organization

Error Handling

  1. Add error nodes to catch and handle failures
  2. Log execution results for debugging
  3. Set up notifications for failed executions
  4. Implement retry logic for transient failures

Testing

  1. Test workflows manually before automation
  2. Use test data in development
  3. Monitor execution logs regularly
  4. Document expected behavior and success criteria

Common Workflows

Webhook to Database

{
  "name": "Webhook → Database",
  "nodes": [
    {
      "type": "n8n-nodes-base.webhook",
      "name": "Webhook",
      "parameters": {
        "httpMethod": "POST",
        "path": "webhook"
      }
    },
    {
      "type": "n8n-nodes-base.httpRequest",
      "name": "Save to Database",
      "parameters": {
        "method": "POST",
        "url": "https://your-api.com/entries",
        "bodyParameters": "={{$json}}"
      }
    }
  ],
  "connections": {
    "Webhook": {
      "main": [[{"node": "Save to Database", "type": "main", "index": 0}]]
    }
  }
}

Scheduled Data Sync

{
  "name": "Scheduled Data Sync",
  "nodes": [
    {
      "type": "n8n-nodes-base.cron",
      "name": "Schedule",
      "parameters": {
        "rule": "every day at 6:00"
      }
    },
    {
      "type": "n8n-nodes-base.httpRequest",
      "name": "Fetch Data",
      "parameters": {
        "method": "GET",
        "url": "https://api.example.com/data"
      }
    },
    {
      "type": "n8n-nodes-base.function",
      "name": "Transform",
      "parameters": {
        "functionCode": "return items.map(item => ({ json: { ...item.json, syncedAt: new Date() } }))"
      }
    },
    {
      "type": "n8n-nodes-base.postgres",
      "name": "Save",
      "parameters": {
        "operation": "insert",
        "table": "synced_data"
      }
    }
  ],
  "connections": {
    "Schedule": {"main": [[{"node": "Fetch Data", "type": "main", "index": 0}]]},
    "Fetch Data": {"main": [[{"node": "Transform", "type": "main", "index": 0}]]},
    "Transform": {"main": [[{"node": "Save", "type": "main", "index": 0}]]}
  }
}

Troubleshooting

Authentication Error

Error: Unauthorized

Solution: Verify API key is correct and has necessary permissions

Workflow Not Found

Error: Workflow not found

Solution: Check workflow ID and ensure workflow exists

Execution Failed

Error: Execution failed

Solution: Check workflow execution logs for node-specific errors

Rate Limit Exceeded

Error: Rate limit exceeded

Solution: Wait and retry, or upgrade your plan

Input Validation Error

Error: Invalid URL - Must be HTTPS

Solution: Ensure N8N_URL starts with https://

Quick Start

1. Set Environment Variables (REQUIRED):

# NEVER store these in config files
export N8N_URL="https://your-n8n-instance.com"
export N8N_API_KEY="your-api-key"

2. Set Permission Mode (OPTIONAL):

export N8N_PERMISSION_MODE="readonly"  # recommended for production

3. List workflows:

curl -X GET "$N8N_URL/api/v1/workflows" \
  -H "X-N8N-API-KEY: $N8N_API_KEY"

4. Execute a workflow:

curl -X POST "$N8N_URL/api/v1/workflows/YOUR_WORKFLOW_ID/executions" \
  -H "X-N8N-API-KEY: $N8N_API_KEY"

5. Start building:

  • Copy workflow examples
  • Modify nodes for your needs
  • Test thoroughly before automation
  • Monitor and iterate

References

Need help? Check N8N community forums or documentation at https://community.n8n.io/

Changelog

v1.1.0 - 2024-04-04 - CRITICAL SECURITY UPDATE

  • ✅ Fixed credential exposure (removed hardcoded API keys from examples)
  • ✅ Removed hardcoded URLs (now configurable via environment variables)
  • ✅ Added input validation (URL format + data sanitization)
  • ✅ Implemented audit logging (complete action trail)
  • ✅ Added rate limiting (configurable limits)
  • ✅ Implemented granular permissions (3 levels: readonly, restricted, full)
  • ✅ Added two-factor confirmation for dangerous operations
  • ✅ Enforced HTTPS only
  • ✅ Updated all documentation with security warnings
  • ✅ Migration guide from v1.0.0

v1.0.0 - Initial release (INSECURE - DO NOT USE)

  • Original version with critical security vulnerabilities
  • ⚠️ DEPRECATED - Please migrate to v1.1.0 or later

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…