← Back to Skills Marketplace
N8n Integration
by
yuyonghao-123
· GitHub ↗
· v0.1.1
· MIT-0
241
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install yuyonghao-n8n-integration
Description
实现 n8n 与 OpenClaw Agent 的双向集成,支持Webhook触发执行、结果回调、认证验证及可观测性。
Usage Guidance
This package does implement an n8n webhook server and agent adapter, but pay attention to these points before installing:
- Manifest vs. reality: The registry declares no required env vars, but the code uses several (N8N_AUTH_TOKEN, WEBHOOK_SECRET, N8N_BASE_URL, N8N_API_KEY, N8N_PORT, N8N_VERBOSE). Treat these as required and supply secure values.
- Token leakage risk: The server will POST results to any callbackUrl provided by a webhook request and it includes the server's auth token in the X-N8N-Token header. Do not allow untrusted parties to control callbackUrl, or modify the code to avoid sending your auth token to external endpoints.
- Verify secrets: Use strong values for N8N_AUTH_TOKEN/WEBHOOK_SECRET and rotate them periodically. In production, run behind HTTPS and firewall rules; avoid binding to 0.0.0.0 on public hosts unless intended.
- Review and harden code: Consider removing or replacing the deprecated npm 'crypto' package (use Node's built-in crypto), validate callback URLs against an allowlist, and avoid sending internal auth headers to external callback endpoints.
- Run in isolation: Start the server in a controlled environment (test VM or container) and review network traffic (eg. with a web proxy) before deploying to production.
Given the credential handling and manifest inconsistencies, treat this skill as suspicious until the above issues are addressed or clarified by the author.
Capability Analysis
Type: OpenClaw Skill
Name: yuyonghao-n8n-integration
Version: 0.1.1
The skill bundle provides a legitimate integration between OpenClaw and the n8n automation platform. It implements a webhook server (src/webhook-server.js) to receive triggers and an API client (src/n8n-client.js) to interact with n8n workflows, including support for token-based authentication and HMAC signature verification. No evidence of malicious intent, data exfiltration, or prompt injection was found; the code logic is consistent with its stated purpose of workflow automation.
Capability Assessment
Purpose & Capability
The code implements the advertised functionality (webhook server, agent adapter, n8n API client, callbacks, observability). However the registry metadata declares no required environment variables or credentials while both SKILL.md and source code rely on multiple env vars (N8N_AUTH_TOKEN, N8N_PORT, N8N_VERBOSE, N8N_BASE_URL, N8N_API_KEY, WEBHOOK_SECRET). That mismatch is incoherent and could mislead users about what secrets this skill needs.
Instruction Scope
SKILL.md instructs running the webhook server and setting N8N_AUTH_TOKEN; the code follows those instructions. But the server will POST callback data to any callbackUrl provided by a request and includes the server's auth token in the X-N8N-Token header. That means untrusted callbackUrl values can receive a credential from the server — a data-exfiltration risk not highlighted in the documentation. The instructions also do not document WEBHOOK_SECRET or N8N_API_KEY even though the code reads them.
Install Mechanism
There is no formal install spec (instruction-only in registry), but the bundle includes Node.js source and a package-lock.json. Dependencies are from npm (express and transitive packages). No remote arbitrary downloads or non-standard install steps are present. package-lock shows an npm 'crypto' package marked deprecated (the built-in Node crypto should be used) — this is a maintenance/packaging issue but not an immediate remote-download risk.
Credentials
The code expects/uses sensitive environment variables (auth token, API key, webhook secret) and will transmit the auth token as an HTTP header when performing callbacks. Registry metadata lists no required env vars or primary credential, so the manifest understates the privileges and secrets the skill will access and transmit. Request headers and callback behavior increase the sensitivity: if callers control callbackUrl, they can cause the server to send its auth token to arbitrary endpoints.
Persistence & Privilege
The skill does not request always:true and does not attempt to change other skills or system-wide agent configuration. It opens an HTTP server (listening port/host) which is expected for a webhook integration; network exposure is normal but should be considered when choosing host/port and running environment.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install yuyonghao-n8n-integration - After installation, invoke the skill by name or use
/yuyonghao-n8n-integration - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.1
- Updated dependencies in package.json.
- No user-facing changes; maintenance release.
v0.1.0
n8n-integration v0.1.0
- 首发版本,提供 OpenClaw Agent 与 n8n 工作流的自动化集成
- 支持通过 webhook 双向触发与回调机制
- 集成 ReAct/Multi-Agent 执行器,支持配置 Agent 执行
- 提供请求认证与超时控制,增强安全性和稳定性
- 内建可观测性: 日志、指标、追踪支持
- 附带使用说明和常见集成场景示例
Metadata
Frequently Asked Questions
What is N8n Integration?
实现 n8n 与 OpenClaw Agent 的双向集成,支持Webhook触发执行、结果回调、认证验证及可观测性。 It is an AI Agent Skill for Claude Code / OpenClaw, with 241 downloads so far.
How do I install N8n Integration?
Run "/install yuyonghao-n8n-integration" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is N8n Integration free?
Yes, N8n Integration is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does N8n Integration support?
N8n Integration is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created N8n Integration?
It is built and maintained by yuyonghao-123 (@yuyonghao-123); the current version is v0.1.1.
More Skills