← 返回 Skills 市场

N8n Integration

Name: N8n Integration
Author: yuyonghao-123

作者 yuyonghao-123 · GitHub ↗ · v0.1.1 · MIT-0

cross-platform ⚠ suspicious

241

总下载

当前安装

版本数

在 OpenClaw 中安装

/install yuyonghao-n8n-integration

功能描述

实现 n8n 与 OpenClaw Agent 的双向集成，支持Webhook触发执行、结果回调、认证验证及可观测性。

安全使用建议

This package does implement an n8n webhook server and agent adapter, but pay attention to these points before installing: - Manifest vs. reality: The registry declares no required env vars, but the code uses several (N8N_AUTH_TOKEN, WEBHOOK_SECRET, N8N_BASE_URL, N8N_API_KEY, N8N_PORT, N8N_VERBOSE). Treat these as required and supply secure values. - Token leakage risk: The server will POST results to any callbackUrl provided by a webhook request and it includes the server's auth token in the X-N8N-Token header. Do not allow untrusted parties to control callbackUrl, or modify the code to avoid sending your auth token to external endpoints. - Verify secrets: Use strong values for N8N_AUTH_TOKEN/WEBHOOK_SECRET and rotate them periodically. In production, run behind HTTPS and firewall rules; avoid binding to 0.0.0.0 on public hosts unless intended. - Review and harden code: Consider removing or replacing the deprecated npm 'crypto' package (use Node's built-in crypto), validate callback URLs against an allowlist, and avoid sending internal auth headers to external callback endpoints. - Run in isolation: Start the server in a controlled environment (test VM or container) and review network traffic (eg. with a web proxy) before deploying to production. Given the credential handling and manifest inconsistencies, treat this skill as suspicious until the above issues are addressed or clarified by the author.

功能分析

Type: OpenClaw Skill Name: yuyonghao-n8n-integration Version: 0.1.1 The skill bundle provides a legitimate integration between OpenClaw and the n8n automation platform. It implements a webhook server (src/webhook-server.js) to receive triggers and an API client (src/n8n-client.js) to interact with n8n workflows, including support for token-based authentication and HMAC signature verification. No evidence of malicious intent, data exfiltration, or prompt injection was found; the code logic is consistent with its stated purpose of workflow automation.

能力评估

⚠ Purpose & Capability

The code implements the advertised functionality (webhook server, agent adapter, n8n API client, callbacks, observability). However the registry metadata declares no required environment variables or credentials while both SKILL.md and source code rely on multiple env vars (N8N_AUTH_TOKEN, N8N_PORT, N8N_VERBOSE, N8N_BASE_URL, N8N_API_KEY, WEBHOOK_SECRET). That mismatch is incoherent and could mislead users about what secrets this skill needs.

⚠ Instruction Scope

SKILL.md instructs running the webhook server and setting N8N_AUTH_TOKEN; the code follows those instructions. But the server will POST callback data to any callbackUrl provided by a request and includes the server's auth token in the X-N8N-Token header. That means untrusted callbackUrl values can receive a credential from the server — a data-exfiltration risk not highlighted in the documentation. The instructions also do not document WEBHOOK_SECRET or N8N_API_KEY even though the code reads them.

ℹ Install Mechanism

There is no formal install spec (instruction-only in registry), but the bundle includes Node.js source and a package-lock.json. Dependencies are from npm (express and transitive packages). No remote arbitrary downloads or non-standard install steps are present. package-lock shows an npm 'crypto' package marked deprecated (the built-in Node crypto should be used) — this is a maintenance/packaging issue but not an immediate remote-download risk.

⚠ Credentials

The code expects/uses sensitive environment variables (auth token, API key, webhook secret) and will transmit the auth token as an HTTP header when performing callbacks. Registry metadata lists no required env vars or primary credential, so the manifest understates the privileges and secrets the skill will access and transmit. Request headers and callback behavior increase the sensitivity: if callers control callbackUrl, they can cause the server to send its auth token to arbitrary endpoints.

✓ Persistence & Privilege

The skill does not request always:true and does not attempt to change other skills or system-wide agent configuration. It opens an HTTP server (listening port/host) which is expected for a webhook integration; network exposure is normal but should be considered when choosing host/port and running environment.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install yuyonghao-n8n-integration
安装完成后，直接呼叫该 Skill 的名称或使用 /yuyonghao-n8n-integration 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v0.1.1

- Updated dependencies in package.json. - No user-facing changes; maintenance release.

v0.1.0

n8n-integration v0.1.0 - 首发版本，提供 OpenClaw Agent 与 n8n 工作流的自动化集成 - 支持通过 webhook 双向触发与回调机制 - 集成 ReAct/Multi-Agent 执行器，支持配置 Agent 执行 - 提供请求认证与超时控制，增强安全性和稳定性 - 内建可观测性: 日志、指标、追踪支持 - 附带使用说明和常见集成场景示例

元数据

Slug yuyonghao-n8n-integration

版本 0.1.1

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 2

常见问题

N8n Integration 是什么？

实现 n8n 与 OpenClaw Agent 的双向集成，支持Webhook触发执行、结果回调、认证验证及可观测性。它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 241 次。

如何安装 N8n Integration？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install yuyonghao-n8n-integration」即可一键安装，无需额外配置。

N8n Integration 是免费的吗？

是的，N8n Integration 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

N8n Integration 支持哪些平台？

N8n Integration 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 N8n Integration？

由 yuyonghao-123（@yuyonghao-123）开发并维护，当前版本 v0.1.1。