← 返回
未分类 Key

N8n Automation Secure

Secure n8n workflow automation integration for coding tasks. This skill implements enterprise-grade security with credential isolation, input validation, aud...
nelmaz
未分类 clawhub v1.0.0 100000 Key: 需要
★ 0
Stars
📥 435
下载
💾 0
安装

概述

N8N Automation Secure

🔒 Security First

This skill implements enterprise-grade security protections:

  • Credential Isolation - API keys never stored in config files
  • Input Validation - All endpoints and data sanitized
  • Audit Logging - Complete action trail with timestamps
  • Rate Limiting - Prevents abuse and DoS
  • Granular Permissions - Read-only mode by default
  • Sandbox Support - Isolated execution environment
  • HTTPS Only - Enforces encrypted connections
  • Confirmation Required - Dangerous operations need explicit approval

⚠️ Before Using

CRITICAL SECURITY REQUIREMENTS:

  1. Environment Variables MUST be Set:
  2. # NEVER store these in openclaw.json or any config file
    export N8N_URL="https://your-n8n-instance.com"
    export N8N_API_KEY="your-api-key"
    
  1. First-Time Setup Required:
  2. cd skills/n8n-automation-secure
    ./scripts/validate-setup.sh
    
  1. HTTPS Only:
    • Only HTTPS URLs are accepted
    • Self-signed certificates will be rejected
    • URL validation is enforced on every request

Quick Start

1. Configure Environment Variables

# Add to ~/.bashrc or /etc/environment
export N8N_URL=""
export N8N_API_KEY=""

# Reload shell
source ~/.bashrc

2. Validate Setup

cd /data/.openclaw/workspace/skills/n8n-automation-secure
./scripts/validate-setup.sh

This will:

  • Verify environment variables are set
  • Validate N8N_URL format and HTTPS
  • Test API connectivity
  • Create audit log directory
  • Report any security issues

3. List Workflows (Read-Only)

curl -X GET "$N8N_URL/api/v1/workflows" \
  -H "X-N8N-API-KEY: $N8N_API_KEY" \
  -H "Content-Type: application/json"

Security Architecture

Credential Management

❌ NEVER do this:

{
  "env": {
    "N8N_URL": "https://n8n.example.com",  // ❌ INSECURE
    "N8N_API_KEY": "secret-key-here"         // ❌ CRITICAL SECURITY ISSUE
  }
}

✅ CORRECT approach:

# Set at system level, never in files
export N8N_URL="https://your-n8n.com"
export N8N_API_KEY="your-key"

Permissions System

The skill operates in three permission modes:

ModeReadExecuteCreateUpdateDeleteRisk Level
--------------------------------------------------------------
readonly🟢 LOW
restricted✅*✅*🟡 MEDIUM
full✅*🔴 HIGH
  • Requires explicit confirmation for each operation

Default mode: readonly

To change mode:

export N8N_PERMISSION_MODE="full"  # DANGEROUS - only for trusted environments

Audit Logging

All actions are logged to:

/data/.openclaw/logs/n8n-audit.log

Log format:

{
  "timestamp": "2024-01-15T10:30:45.123Z",
  "user": "nelson",
  "action": "WORKFLOW_EXECUTE",
  "workflowId": "abc123",
  "workflowName": "CI Build",
  "status": "success",
  "ip": "127.0.0.1",
  "userAgent": "curl/7.68.0",
  "durationMs": 234
}

Review audit logs:

tail -f /data/.openclaw/logs/n8n-audit.log

Rate Limiting

Default limits (configurable):

OperationLimitWindow
---------------------------
API requests10per minute
Workflow executions5per minute
Bulk operations1per 5 minutes

Customize limits:

export N8N_RATE_LIMIT="15/minute"
export N8N_EXECUTION_LIMIT="10/minute"

Available Actions

🟢 Read-Only Operations (Safe)

1. List Workflows

curl -X GET "$N8N_URL/api/v1/workflows" \
  -H "X-N8N-API-KEY: $N8N_API_KEY" \
  -H "Content-Type: application/json"

2. Get Workflow Details

curl -X GET "$N8N_URL/api/v1/workflows/{id}" \
  -H "X-N8N-API-KEY: $N8N_API_KEY" \
  -H "Content-Type: application/json"

3. Get Execution Status

curl -X GET "$N8N_URL/api/v1/executions/{id}" \
  -H "X-N8N-API-KEY: $N8N_API_KEY"

4. Get Executions History

curl -X GET "$N8N_URL/api/v1/workflows/{id}/executions?limit=10" \
  -H "X-N8N-API-KEY: $N8N_API_KEY"

🟡 Execute Operations (Requires Permission)

5. Execute Workflow (Manual)

Confirmation required: The skill will ask for approval before execution.

# Step 1: Review workflow
curl -X GET "$N8N_URL/api/v1/workflows/{id}" \
  -H "X-N8N-API-KEY: $N8N_API_KEY"

# Step 2: Execute (with confirmation)
curl -X POST "$N8N_URL/api/v1/workflows/{id}/executions" \
  -H "X-N8N-API-KEY: $N8N_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"data": {"contextData": {}, "manualExecution": true}}'

6. Execute Webhook

curl -X POST "https://your-n8n.com/webhook/{webhook-key}" \
  -H "Content-Type: application/json" \
  -d '{"data": {"input1": "value1"}}'

🔴 Dangerous Operations (Requires Explicit Confirmation)

⚠️ These operations require TWO confirmations:

  1. Display of what will be changed
  2. Typing confirmation phrase

7. Clone Workflow

# Step 1: Show what will be cloned
curl -X GET "$N8N_URL/api/v1/workflows/{source-id}" \
  -H "X-N8N-API-KEY: $N8N_API_KEY"

# Step 2: Execute with confirmation
curl -X POST "$N8N_URL/api/v1/workflows/{source-id}/clone" \
  -H "X-N8N-API-KEY: $N8N_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name": "Cloned Workflow"}'

8. Update Workflow (PATCH)

# Step 1: Show current state
curl -X GET "$N8N_URL/api/v1/workflows/{id}" \
  -H "X-N8N-API-KEY: $N8N_API_KEY"

# Step 2: Show diff
# (Display what will change)

# Step 3: Execute with confirmation
curl -X PATCH "$N8N_URL/api/v1/workflows/{id}" \
  -H "X-N8N-API-KEY: $N8N_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"nodes": [{"parameters": {...}}]}'

9. Delete Workflow

# Step 1: Show workflow details
curl -X GET "$N8N_URL/api/v1/workflows/{id}" \
  -H "X-N8N-API-KEY: $N8N_API_KEY"

# Step 2: Type confirmation
# DELETE: Workflow Name - Type "I confirm deletion" to proceed

# Step 3: Execute
curl -X DELETE "$N8N_URL/api/v1/workflows/{id}" \
  -H "X-N8N-API-KEY: $N8N_API_KEY"

Input Validation

All inputs are validated before API calls:

URL Validation

function validateN8NUrl(url) {
  // Must be HTTPS
  if (!url.match(/^https:\/\/[a-z0-9.-]+(\.[a-z0-9.-]+)+$/i)) {
    throw new Error('Invalid N8N URL. Must be HTTPS and properly formatted.');
  }

  // No credentials in URL
  if (url.includes('@') || url.includes(':')) {
    throw new Error('URL must not contain credentials');
  }

  // No query parameters with secrets
  if (url.match(/\b(key|token|secret|password)\b/i)) {
    throw new Error('URL must not contain secret keywords');
  }

  return url;
}

Data Sanitization

function sanitizeData(data) {
  // Remove sensitive keys
  const sensitive = ['password', 'apiKey', 'secret', 'token', 'credential'];
  
  const sanitized = JSON.parse(JSON.stringify(data));
  
  function clean(obj) {
    for (const key in obj) {
      if (sensitive.some(s => key.toLowerCase().includes(s))) {
        obj[key] = '***REDACTED***';
      } else if (typeof obj[key] === 'object') {
        clean(obj[key]);
      }
    }
  }
  
  clean(sanitized);
  return sanitized;
}

Coding Use Cases

Use Case 1: CI/CD Integration (Safe)

# .github/workflows/n8n-trigger.yml
name: Trigger N8N Workflow

on:
  push:
    branches: [main]

jobs:
  trigger-n8n:
    runs-on: ubuntu-latest
    steps:
      - name: Trigger N8N workflow
        env:
          N8N_URL: ${{ secrets.N8N_URL }}
          N8N_API_KEY: ${{ secrets.N8N_API_KEY }}
        run: |
          curl -X POST "$N8N_URL/api/v1/workflows/${{ secrets.N8N_WORKFLOW_ID }}/executions" \
                -H "X-N8N-API-KEY: $N8N_API_KEY" \
                -H "Content-Type: application/json" \
                -d '{"data": {"contextData": {"commitSha": "${{ github.sha }}"}}}'

Use Case 2: Data Processing Pipeline

#!/usr/bin/env python3
import os
import requests

N8N_URL = os.environ.get('N8N_URL')
N8N_API_KEY = os.environ.get('N8N_API_KEY')

def execute_workflow(workflow_id, data):
    """Execute n8n workflow with input validation"""
    
    # Validate inputs
    if not N8N_URL or not N8N_API_KEY:
        raise ValueError('N8N_URL and N8N_API_KEY environment variables are required')
    
    if not N8N_URL.startswith('https://'):
        raise ValueError('N8N_URL must use HTTPS')
    
    # Sanitize data
    sanitized_data = sanitize(data)
    
    # Execute
    response = requests.post(
        f'{N8N_URL}/api/v1/workflows/{workflow_id}/executions',
        headers={
            'X-N8N-API-KEY': N8N_API_KEY,
            'Content-Type': 'application/json'
        },
        json={'data': {'contextData': sanitized_data}}
    )
    
    response.raise_for_status()
    return response.json()

def sanitize(data):
    """Remove sensitive data"""
    sensitive_keys = ['password', 'apiKey', 'secret', 'token']
    # ... sanitization logic
    return data

Security Best Practices

1. Environment Variables

DO:

# Set at system level
export N8N_URL="https://your-n8n.com"
export N8N_API_KEY="your-key"

# Or in script execution
N8N_URL="https://your-n8n.com" N8N_API_KEY="your-key" ./script.sh

DON'T:

# Never in config files
export N8N_URL="..."  # Saved in ~/.bashrc (risk if compromised)

2. Permission Principle

  • Use readonly mode by default
  • Only switch to restricted when necessary
  • Use full mode only in isolated environments
  • Review audit logs regularly

3. Confirmation Workflow

For dangerous operations:

  1. Show exactly what will happen
  2. Require typing confirmation phrase
  3. Log the action with full details
  4. Send notification (if configured)

4. Regular Audits

# Review recent activity
tail -100 /data/.openclaw/logs/n8n-audit.log

# Check for suspicious patterns
grep -i "delete\|remove\|dangerous" /data/.openclaw/logs/n8n-audit.log

# Monitor for errors
grep "error\|failed\|unauthorized" /data/.openclaw/logs/n8n-audit.log

Troubleshooting

Error: Environment Variables Not Set

ERROR: N8N_URL and N8N_API_KEY environment variables are required

Solution:

export N8N_URL="https://your-n8n.com"
export N8N_API_KEY="your-api-key"

Error: Invalid URL

ERROR: Invalid N8N URL. Must be HTTPS and properly formatted.

Solution:

  • Ensure URL starts with https://
  • No credentials in URL
  • No query parameters with secrets

Error: Rate Limit Exceeded

ERROR: Rate limit exceeded. Wait before retrying.

Solution:

  • Wait for the rate limit window to reset
  • Adjust rate limit configuration
  • Check audit logs for activity patterns

Error: Permission Denied

ERROR: Operation not permitted in current permission mode.

Solution:

  • Check current permission mode: echo $N8N_PERMISSION_MODE
  • Switch mode if necessary: export N8N_PERMISSION_MODE="restricted"

Security Checklist

Before using this skill in production, verify:

  • [ ] Environment variables are set at system level
  • [ ] N8N_URL uses HTTPS only
  • [ ] N8N_API_KEY is not stored in any file
  • [ ] Permission mode is set appropriately
  • [ ] Audit logging is enabled and working
  • [ ] Rate limiting is configured
  • [ ] First-time setup validation passed
  • [ ] Sandbox mode is enabled in OpenClaw (if applicable)
  • [ ] Dangerous operations require confirmation
  • [ ] Regular audit reviews are scheduled

OpenClaw Integration

Recommended Configuration

{
  "agents": {
    "n8n-automation": {
      "id": "n8n-automation",
      "name": "n8n Automation (Secure)",
      "skills": ["n8n-automation-secure"],
      "sandbox": "require",
      "tools": {
        "denylist": ["exec", "eval", "shell"]
      },
      "maxConcurrent": 1
    }
  }
}

Enable Skill

# Add skill to main agent
openclaw agent add-skill main n8n-automation-secure

# Or create dedicated agent
openclaw agent create n8n-automation \
  --skills n8n-automation-secure \
  --sandbox require \
  --max-concurrent 1

References

  • Documentation: references/security.md - Complete security guide
  • Validation Script: scripts/validate-setup.sh - Setup verification
  • Audit Logger: scripts/audit-logger.sh - Log management
  • N8N API Docs: https://docs.n8n.io/api/
  • OpenClaw Security: https://docs.openclaw.ai/security

Version History

  • 1.0.0 (2024-04-04)
  • Initial secure release
  • Credential isolation
  • Input validation
  • Audit logging
  • Rate limiting
  • Granular permissions

License

MIT License - See LICENSE.md for details

Contributing

Security is the top priority. All contributions must:

  1. Maintain security guarantees
  2. Include audit logging
  3. Pass validation checks
  4. Update documentation
  5. Add tests for security features

Support

  • Security Issues: Report immediately via private channels
  • Issues: https://github.com/[your-repo]/issues
  • Documentation: references/ directory

⚠️ IMPORTANT: This skill prioritizes security over convenience. Read-only operations work immediately. Dangerous operations require explicit confirmation and appropriate permission levels.

版本历史

共 1 个版本

  • v1.0.0 当前
    2026-05-03 08:29 安全 安全

安全检测

暂无安全检测报告