← Back to Skills Marketplace

Nodetool

Name: Nodetool
Author: georgi

by georgi · GitHub ↗ · v0.6.3

cross-platform ⚠ suspicious

2724

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install nodetool

Description

Visual AI workflow builder - ComfyUI meets n8n for LLM agents, RAG pipelines, and multimodal data flows. Local-first, open source (AGPL-3.0).

Usage Guidance

What to consider before installing or following this skill's instructions: - Do not blindly run the curl | bash or PowerShell iex install commands. Those execute code fetched at install time; inspect the install.sh / install.ps1 on the GitHub repo first (open the raw file in your browser or clone the repo). Prefer packaged installers or manual installation steps when possible. - The installer supports a non-interactive/silent mode; that can hide prompts and make an install opaque. Avoid using -y / -Yes until you've audited the script. - The SKILL.md shows commands that expose network services (serve --host 0.0.0.0, chat-server, proxy-daemon). If you run these, ensure proper firewalling, authentication, and that you understand which ports will be opened and to whom the service will be accessible. - The doc references auth tokens and a 'settings show' command that can surface secrets. Do not supply high-privilege credentials (cloud keys, DB admin creds) unless you trust the code and have reviewed how those credentials are stored/used. Prefer scoped, minimal-permission tokens. - Model downloads (HuggingFace/Ollama) can pull large artifacts and may require API tokens. Confirm the download URLs and whether the tool uses official model registries. - Confirm the upstream source: SKILL.md references a GitHub repository and the package.json homepage nodetool.ai. Verify those projects/owners (GitHub repo, releases, signers) before installing from them. Check for an official release instead of raw branch installs. - If you want to try it but are not comfortable auditing code, run the installer and service inside an isolated VM, container, or dedicated sandboxed machine with no access to sensitive credentials or internal networks. Given the mix of benign alignment and several operational risks (remote install script, silent install, network-facing services, secret handling) I recommend treating this as suspicious until you or someone you trust audits the referenced installer and repository.

Capability Analysis

Type: OpenClaw Skill Name: nodetool Version: 0.6.3 The `SKILL.md` file instructs the execution of remote scripts via `curl | bash` and `irm | iex` for installation from GitHub (e.g., `https://raw.githubusercontent.com/nodetool-ai/nodetool/refs/heads/main/install.sh`). This presents a significant supply chain risk, as the content of these external scripts is not part of the analyzed bundle and could change, leading to arbitrary code execution. Additionally, the described `nodetool` CLI offers broad system interaction capabilities, including starting network services (`nodetool serve`, `nodetool proxy`), managing local AI model caches, and a command to "View settings and secrets" (`nodetool settings show`), which, while potentially legitimate for its purpose, increases the attack surface. The non-interactive installation mode further exacerbates this risk by skipping user prompts.

Capability Assessment

✓ Purpose & Capability

Name, description, and package.json align with a local-first visual workflow builder that manages models, deployments, and proxies. The listed commands (workflows, models, deploy, proxy, admin) are coherent with that purpose.

⚠ Instruction Scope

SKILL.md contains explicit installation and runtime commands that instruct the user/agent to run remote install scripts (curl | bash and PowerShell iex) and to start network-facing services (serve --host 0.0.0.0, chat-server, proxy-daemon). It also shows handling of auth tokens (examples with --auth-token and stdin JSON containing auth_token) and a 'settings show' command which can surface secrets. Those instructions expand the operational scope (network exposure, secret handling, silent installs) beyond a purely offline helper and could lead to inadvertent execution of remote code or exposure of credentials.

ℹ Install Mechanism

There is no install spec in the skill bundle itself, but SKILL.md recommends installing via raw.githubusercontent.com install scripts piped to shell/PowerShell. GitHub raw URLs are a common/known host, but piping arbitrary remote scripts directly into a shell (curl|bash, iex) is high-risk because it runs unreviewed code and the doc also documents a non-interactive/silent mode (-y / -Yes) that removes prompts. Recommend auditing the referenced install.sh / install.ps1 before running.

ℹ Credentials

The skill declares no required env vars or credentials, which is consistent with an instruction-only skill. However SKILL.md demonstrates passing and showing auth tokens (flags and stdin JSON), downloading models from HuggingFace/Ollama, and managing deployments — all of which commonly require credentials. The lack of declared required env variables is a mild mismatch and means the skill's instructions may prompt for or accept sensitive tokens at runtime without telling you up front.

✓ Persistence & Privilege

Skill metadata does not request always:true and has no special OS or persistence requirements. It's instruction-only and does not declare autonomous elevated privileges. Normal autonomous invocation remains possible (platform default).

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install nodetool
After installation, invoke the skill by name or use /nodetool
Provide required inputs per the skill's parameter spec and get structured output

Version History

v0.6.3

Initial release of NodeTool – a versatile visual AI workflow builder. - Combines ComfyUI's node-based design with n8n-inspired automation for local, offline-first development. - Supports creation and execution of LLM agents, RAG pipelines, and multimodal data flows. - CLI commands to manage workflows, assets, models, deployments, jobs, and more. - Seamless installation scripts for Linux, macOS, and Windows with interactive or CI-friendly modes. - Built-in chat interface and web server for interactive or web-based operation. - Open source under AGPL-3.0 license.

Metadata

Slug nodetool

Version 0.6.3

License —

All-time Installs 7

Active Installs 7

Total Versions 1

Frequently Asked Questions

What is Nodetool?

Visual AI workflow builder - ComfyUI meets n8n for LLM agents, RAG pipelines, and multimodal data flows. Local-first, open source (AGPL-3.0). It is an AI Agent Skill for Claude Code / OpenClaw, with 2724 downloads so far.

How do I install Nodetool?

Run "/install nodetool" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Nodetool free?

Yes, Nodetool is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Nodetool support?

Nodetool is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Nodetool?

It is built and maintained by georgi (@georgi); the current version is v0.6.3.

More Skills