N8n Automation Secure
by @nelmaz
Secure n8n workflow automation integration for coding tasks. This skill implements enterprise-grade security with credential isolation, input validation, aud...
clawhub install n8n-automation-secureπ About This Skill
name: n8n-automation-secure description: Secure n8n workflow automation integration for coding tasks. This skill implements enterprise-grade security with credential isolation, input validation, audit logging, rate limiting, and granular permissions. Use when building automated workflows, integrating n8n into development pipelines, executing existing workflows, modifying workflow configurations, or creating new automation solutions. Triggers on phrases like "create n8n workflow", "run n8n workflow", "integrate n8n", "automate with n8n", "modify n8n workflow", "execute workflow". version: "1.0.0" metadata: author: nelson-mazonzika homepage: https://clawhub.ai/nelson-mazonzika/n8n-automation-secure license: MIT openclaw: emoji: π requires: bins: [] env: - N8N_URL - N8N_API_KEY security: level: enterprise features: - credential-isolation - input-validation - audit-logging - rate-limiting - granular-permissions - sandbox-support
N8N Automation Secure
π Security First
This skill implements enterprise-grade security protections:
β οΈ Before Using
CRITICAL SECURITY REQUIREMENTS:
1. Environment Variables MUST be Set:
# NEVER store these in openclaw.json or any config file
export N8N_URL="https://your-n8n-instance.com"
export N8N_API_KEY="your-api-key"
2. First-Time Setup Required:
cd skills/n8n-automation-secure
./scripts/validate-setup.sh
3. HTTPS Only:
Quick Start
1. Configure Environment Variables
# Add to ~/.bashrc or /etc/environment
export N8N_URL=""
export N8N_API_KEY=""Reload shell
source ~/.bashrc
2. Validate Setup
cd /data/.openclaw/workspace/skills/n8n-automation-secure
./scripts/validate-setup.sh
This will:
3. List Workflows (Read-Only)
curl -X GET "$N8N_URL/api/v1/workflows" \
-H "X-N8N-API-KEY: $N8N_API_KEY" \
-H "Content-Type: application/json"
Security Architecture
Credential Management
β NEVER do this:
{
"env": {
"N8N_URL": "https://n8n.example.com", // β INSECURE
"N8N_API_KEY": "secret-key-here" // β CRITICAL SECURITY ISSUE
}
}
β CORRECT approach:
# Set at system level, never in files
export N8N_URL="https://your-n8n.com"
export N8N_API_KEY="your-key"
Permissions System
The skill operates in three permission modes:
| Mode | Read | Execute | Create | Update | Delete | Risk Level |
|-------|------|----------|---------|---------|--------|-------------|
| readonly | β
| β
| β | β | β | π’ LOW |
| restricted | β
| β
| β
* | β
* | β | π‘ MEDIUM |
| full | β
| β
| β
| β
| β
* | π΄ HIGH |
* Requires explicit confirmation for each operation
Default mode: readonly
To change mode:
export N8N_PERMISSION_MODE="full" # DANGEROUS - only for trusted environments
Audit Logging
All actions are logged to:
/data/.openclaw/logs/n8n-audit.log
Log format:
{
"timestamp": "2024-01-15T10:30:45.123Z",
"user": "nelson",
"action": "WORKFLOW_EXECUTE",
"workflowId": "abc123",
"workflowName": "CI Build",
"status": "success",
"ip": "127.0.0.1",
"userAgent": "curl/7.68.0",
"durationMs": 234
}
Review audit logs:
tail -f /data/.openclaw/logs/n8n-audit.log
Rate Limiting
Default limits (configurable):
| Operation | Limit | Window | |-----------|-------|---------| | API requests | 10 | per minute | | Workflow executions | 5 | per minute | | Bulk operations | 1 | per 5 minutes |
Customize limits:
export N8N_RATE_LIMIT="15/minute"
export N8N_EXECUTION_LIMIT="10/minute"
Available Actions
π’ Read-Only Operations (Safe)
#### 1. List Workflows
curl -X GET "$N8N_URL/api/v1/workflows" \
-H "X-N8N-API-KEY: $N8N_API_KEY" \
-H "Content-Type: application/json"
#### 2. Get Workflow Details
curl -X GET "$N8N_URL/api/v1/workflows/{id}" \
-H "X-N8N-API-KEY: $N8N_API_KEY" \
-H "Content-Type: application/json"
#### 3. Get Execution Status
curl -X GET "$N8N_URL/api/v1/executions/{id}" \
-H "X-N8N-API-KEY: $N8N_API_KEY"
#### 4. Get Executions History
curl -X GET "$N8N_URL/api/v1/workflows/{id}/executions?limit=10" \
-H "X-N8N-API-KEY: $N8N_API_KEY"
π‘ Execute Operations (Requires Permission)
#### 5. Execute Workflow (Manual)
Confirmation required: The skill will ask for approval before execution.
# Step 1: Review workflow
curl -X GET "$N8N_URL/api/v1/workflows/{id}" \
-H "X-N8N-API-KEY: $N8N_API_KEY"Step 2: Execute (with confirmation)
curl -X POST "$N8N_URL/api/v1/workflows/{id}/executions" \
-H "X-N8N-API-KEY: $N8N_API_KEY" \
-H "Content-Type: application/json" \
-d '{"data": {"contextData": {}, "manualExecution": true}}'
#### 6. Execute Webhook
curl -X POST "https://your-n8n.com/webhook/{webhook-key}" \
-H "Content-Type: application/json" \
-d '{"data": {"input1": "value1"}}'
π΄ Dangerous Operations (Requires Explicit Confirmation)
β οΈ These operations require TWO confirmations: 1. Display of what will be changed 2. Typing confirmation phrase
#### 7. Clone Workflow
# Step 1: Show what will be cloned
curl -X GET "$N8N_URL/api/v1/workflows/{source-id}" \
-H "X-N8N-API-KEY: $N8N_API_KEY"Step 2: Execute with confirmation
curl -X POST "$N8N_URL/api/v1/workflows/{source-id}/clone" \
-H "X-N8N-API-KEY: $N8N_API_KEY" \
-H "Content-Type: application/json" \
-d '{"name": "Cloned Workflow"}'
#### 8. Update Workflow (PATCH)
# Step 1: Show current state
curl -X GET "$N8N_URL/api/v1/workflows/{id}" \
-H "X-N8N-API-KEY: $N8N_API_KEY"Step 2: Show diff
(Display what will change)
Step 3: Execute with confirmation
curl -X PATCH "$N8N_URL/api/v1/workflows/{id}" \
-H "X-N8N-API-KEY: $N8N_API_KEY" \
-H "Content-Type: application/json" \
-d '{"nodes": [{"parameters": {...}}]}'
#### 9. Delete Workflow
# Step 1: Show workflow details
curl -X GET "$N8N_URL/api/v1/workflows/{id}" \
-H "X-N8N-API-KEY: $N8N_API_KEY"Step 2: Type confirmation
DELETE: Workflow Name - Type "I confirm deletion" to proceed
Step 3: Execute
curl -X DELETE "$N8N_URL/api/v1/workflows/{id}" \
-H "X-N8N-API-KEY: $N8N_API_KEY"
Input Validation
All inputs are validated before API calls:
URL Validation
function validateN8NUrl(url) {
// Must be HTTPS
if (!url.match(/^https:\/\/[a-z0-9.-]+(\.[a-z0-9.-]+)+$/i)) {
throw new Error('Invalid N8N URL. Must be HTTPS and properly formatted.');
} // No credentials in URL
if (url.includes('@') || url.includes(':')) {
throw new Error('URL must not contain credentials');
}
// No query parameters with secrets
if (url.match(/\b(key|token|secret|password)\b/i)) {
throw new Error('URL must not contain secret keywords');
}
return url;
}
Data Sanitization
function sanitizeData(data) {
// Remove sensitive keys
const sensitive = ['password', 'apiKey', 'secret', 'token', 'credential'];
const sanitized = JSON.parse(JSON.stringify(data));
function clean(obj) {
for (const key in obj) {
if (sensitive.some(s => key.toLowerCase().includes(s))) {
obj[key] = '*REDACTED*';
} else if (typeof obj[key] === 'object') {
clean(obj[key]);
}
}
}
clean(sanitized);
return sanitized;
}
Coding Use Cases
Use Case 1: CI/CD Integration (Safe)
# .github/workflows/n8n-trigger.yml
name: Trigger N8N Workflowon:
push:
branches: [main]
jobs:
trigger-n8n:
runs-on: ubuntu-latest
steps:
- name: Trigger N8N workflow
env:
N8N_URL: ${{ secrets.N8N_URL }}
N8N_API_KEY: ${{ secrets.N8N_API_KEY }}
run: |
curl -X POST "$N8N_URL/api/v1/workflows/${{ secrets.N8N_WORKFLOW_ID }}/executions" \
-H "X-N8N-API-KEY: $N8N_API_KEY" \
-H "Content-Type: application/json" \
-d '{"data": {"contextData": {"commitSha": "${{ github.sha }}"}}}'
Use Case 2: Data Processing Pipeline
#!/usr/bin/env python3
import os
import requestsN8N_URL = os.environ.get('N8N_URL')
N8N_API_KEY = os.environ.get('N8N_API_KEY')
def execute_workflow(workflow_id, data):
"""Execute n8n workflow with input validation"""
# Validate inputs
if not N8N_URL or not N8N_API_KEY:
raise ValueError('N8N_URL and N8N_API_KEY environment variables are required')
if not N8N_URL.startswith('https://'):
raise ValueError('N8N_URL must use HTTPS')
# Sanitize data
sanitized_data = sanitize(data)
# Execute
response = requests.post(
f'{N8N_URL}/api/v1/workflows/{workflow_id}/executions',
headers={
'X-N8N-API-KEY': N8N_API_KEY,
'Content-Type': 'application/json'
},
json={'data': {'contextData': sanitized_data}}
)
response.raise_for_status()
return response.json()
def sanitize(data):
"""Remove sensitive data"""
sensitive_keys = ['password', 'apiKey', 'secret', 'token']
# ... sanitization logic
return data
Security Best Practices
1. Environment Variables
β DO:
# Set at system level
export N8N_URL="https://your-n8n.com"
export N8N_API_KEY="your-key"Or in script execution
N8N_URL="https://your-n8n.com" N8N_API_KEY="your-key" ./script.sh
β DON'T:
# Never in config files
export N8N_URL="..." # Saved in ~/.bashrc (risk if compromised)
2. Permission Principle
3. Confirmation Workflow
For dangerous operations: 1. Show exactly what will happen 2. Require typing confirmation phrase 3. Log the action with full details 4. Send notification (if configured)
4. Regular Audits
# Review recent activity
tail -100 /data/.openclaw/logs/n8n-audit.logCheck for suspicious patterns
grep -i "delete\|remove\|dangerous" /data/.openclaw/logs/n8n-audit.logMonitor for errors
grep "error\|failed\|unauthorized" /data/.openclaw/logs/n8n-audit.log
Troubleshooting
Error: Environment Variables Not Set
ERROR: N8N_URL and N8N_API_KEY environment variables are required
Solution:
export N8N_URL="https://your-n8n.com"
export N8N_API_KEY="your-api-key"
Error: Invalid URL
ERROR: Invalid N8N URL. Must be HTTPS and properly formatted.
Solution:
https://Error: Rate Limit Exceeded
ERROR: Rate limit exceeded. Wait before retrying.
Solution:
Error: Permission Denied
ERROR: Operation not permitted in current permission mode.
Solution:
echo $N8N_PERMISSION_MODEexport N8N_PERMISSION_MODE="restricted"Security Checklist
Before using this skill in production, verify:
OpenClaw Integration
Recommended Configuration
{
"agents": {
"n8n-automation": {
"id": "n8n-automation",
"name": "n8n Automation (Secure)",
"skills": ["n8n-automation-secure"],
"sandbox": "require",
"tools": {
"denylist": ["exec", "eval", "shell"]
},
"maxConcurrent": 1
}
}
}
Enable Skill
# Add skill to main agent
openclaw agent add-skill main n8n-automation-secureOr create dedicated agent
openclaw agent create n8n-automation \
--skills n8n-automation-secure \
--sandbox require \
--max-concurrent 1
References
references/security.md - Complete security guidescripts/validate-setup.sh - Setup verificationscripts/audit-logger.sh - Log managementVersion History
License
MIT License - See LICENSE.md for details
Contributing
Security is the top priority. All contributions must: 1. Maintain security guarantees 2. Include audit logging 3. Pass validation checks 4. Update documentation 5. Add tests for security features
Support
references/ directoryβ οΈ IMPORTANT: This skill prioritizes security over convenience. Read-only operations work immediately. Dangerous operations require explicit confirmation and appropriate permission levels.
π‘ Examples
1. Configure Environment Variables
# Add to ~/.bashrc or /etc/environment
export N8N_URL=""
export N8N_API_KEY=""Reload shell
source ~/.bashrc
2. Validate Setup
cd /data/.openclaw/workspace/skills/n8n-automation-secure
./scripts/validate-setup.sh
This will:
3. List Workflows (Read-Only)
curl -X GET "$N8N_URL/api/v1/workflows" \
-H "X-N8N-API-KEY: $N8N_API_KEY" \
-H "Content-Type: application/json"
π Tips & Best Practices
Error: Environment Variables Not Set
ERROR: N8N_URL and N8N_API_KEY environment variables are required
Solution:
export N8N_URL="https://your-n8n.com"
export N8N_API_KEY="your-api-key"
Error: Invalid URL
ERROR: Invalid N8N URL. Must be HTTPS and properly formatted.
Solution:
https://Error: Rate Limit Exceeded
ERROR: Rate limit exceeded. Wait before retrying.
Solution:
Error: Permission Denied
ERROR: Operation not permitted in current permission mode.
Solution:
echo $N8N_PERMISSION_MODEexport N8N_PERMISSION_MODE="restricted"