OpenClaw ↔ n8n Orchestrator

Build secure, auditable bridges between OpenClaw autonomous agents and n8n deterministic workflows. This skill generates production-ready OpenClaw skill directories (SKILL.md + scripts) that route all external API interactions through n8n's locked, credentialed pipelines.

---

Why Route Through n8n

OpenClaw's exec tool grants the LLM shell-level access. Every API key stored in .env or skill files becomes an attack vector — leakable through hallucination, prompt injection, or plaintext logging. The proxy orchestration pattern eliminates this:

• - The agent never touches external API credentials
• All external calls route through n8n webhooks with locked, encrypted credentials
• Every agent-triggered action appears as an inspectable node graph (black-box → glass-box)
• Deterministic loops run at zero token cost in n8n

---

Mode Detection

Mode 1: Egress (OpenClaw → n8n)

User says: "trigger n8n workflow," "create webhook skill," "call n8n from openclaw" → Generate an OpenClaw skill directory that triggers n8n webhooks

Mode 2: Ingress (n8n → OpenClaw)

User says: "push data to openclaw," "n8n response to agent," "gateway API" → Configure n8n HTTP Request nodes to POST to the Gateway /v1/responses endpoint

Mode 3: Bidirectional (Proxy Pattern)

User says: "round trip," "full integration," "proxy pattern," "credential isolation" → Complete egress + ingress loop with air-gap credential provisioning

Mode 4: n8n-claw Architecture

User says: "rebuild agent in n8n," "n8n-claw," "supabase memory" → Read references/n8n-claw-architecture.md

Mode 5: Publish to ClawHub

User says: "publish skill," "clawhub," "package for registry" → Read references/publishing.md

---

Generating OpenClaw Skill Directories (Egress)

When building an OpenClaw skill that triggers n8n, generate a complete skill directory — not a loose file. OpenClaw skills are directories containing a SKILL.md with YAML frontmatter.

Required Directory Structure

CODEBLOCK0

SKILL.md Template

Every generated SKILL.md must follow this exact structure:

CODEBLOCK1

Critical YAML rules:

• - description is the only trigger mechanism. The LLM cannot see the Markdown body until after it selects the skill. Pack ALL trigger heuristics into this single string.
• Use metadata.clawdbot namespace — NOT metadata.openclaw (the registry ignores the legacy namespace).
• Use requires.env (singular) — NOT requires.envs (causes parse validation errors).
• No multi-line strings or YAML block scalars. The parser expects single-line values or valid arrays only.
• Declare files: ["scripts/*"] — omitting this causes ClawHub security scanners to flag the skill as suspicious.

Markdown Body Structure

Below the frontmatter, write instructions the LLM will follow. Include these mandatory transparency sections for ClawHub compliance:

CODEBLOCK2

Trigger Script Template

Every webhook trigger script MUST include:

1. 1. set -euo pipefail (non-negotiable — prevents silent failures)
2. Security Manifest Header
3. Input sanitization via INLINECODE11
4. INLINECODE12 or pre-encoded payloads (never raw string interpolation)

CODEBLOCK3

Native MCP Tool Alternative

For simple webhook calls, prefer OpenClaw's built-in exec tool with a Node.js one-liner over shell scripts. Node.js avoids shell expansion vulnerabilities entirely:

CODEBLOCK4

Node.js is preferred because OpenClaw requires Node.js 22+ — it's always available. No dependencies, no shell injection surface.

---

Ingress: n8n → OpenClaw Gateway

The Gateway /v1/responses endpoint is disabled by default.

Enable the Endpoint

Edit openclaw.json:
CODEBLOCK5

n8n HTTP Request Node Configuration

Parameter	Value	Why
Method	POST	Standard transmission
URL

http://{gateway-host}:18789/v1/responses | OpenResponses ingress | | Authorization | Bearer {token} | Gateway auth | | Content-Type | application/json | JSON parsing | | timeout_seconds | 0 | MANDATORY — prevents infinite echo loop |

The echo loop problem: Without timeout_seconds: 0, the Gateway event bus reverberates the payload back into the session, causing the LLM to hallucinate an infinite dialogue with its own data. This destroys the 64k token context window and burns API costs exponentially.

Ingress Payload

CODEBLOCK6

The user string routes to a stable session. Use consistent patterns: n8n-workflow-{id} for per-workflow sessions, n8n-global for shared.

→ Full Gateway API spec, WebSocket protocol, telemetry codes: references/gateway-api.md

---

Proxy Orchestration Lifecycle

CODEBLOCK7

Air-Gap Credential Provisioning

After the agent generates the workflow structure:

1. 1. Human logs into n8n UI
2. Provisions API keys into n8n's encrypted credential store
3. Binds credentials to nodes
4. Locks the workflow — agent cannot alter it
5. Agent only sends webhook payloads from this point

→ Security deep-dive, ClawHavoc analysis, safeguard nodes: references/security.md

---

System Hardening

Gateway Hardening (Critical)

Configure exec tool approval in openclaw.json:
CODEBLOCK8

With approval: true, every shell command requires human confirmation. This prevents a prompt-injected agent from executing arbitrary code.

soul.md Guardrails

Add to the agent's soul.md:
CODEBLOCK9

Multi-Model Routing for Cost Optimization

Configure OpenRouter in openclaw.json to route mundane webhook formatting to cheap models (GPT-4o Mini, Claude 3.5 Haiku) and reserve expensive models for complex reasoning:

CODEBLOCK10

This reduces API costs by ~70% for repetitive webhook orchestration tasks.

---

Scaling: The SkillPointer Pattern

When managing many n8n webhook skills (20+), loading all skill metadata at startup wastes tokens. Use the SkillPointer pattern:

1. 1. Move individual webhook skills to a vault directory outside the agent's scan path:

INLINECODE29

1. 2. Create a single lightweight pointer skill in the active directory:

CODEBLOCK11

1. 3. The agent dynamically discovers skills via filesystem traversal at runtime

This reduces startup token consumption from ~8,000 tokens (40 webhook skills × 200 tokens each) to ~200 tokens (one pointer), while maintaining access to every skill.

---

Deployment

→ Docker Compose templates, network topologies, environment variables: references/deployment.md

Quick reference: OpenClaw Gateway defaults to port 18789, n8n to 5678. Never bind the Gateway to public interfaces. Use SSH tunnels or Tailscale for cross-network ingress.

---

Failure Mode Reference

Egress

Symptom	Cause	Fix
401 from webhook	Secret mismatch	Verify N8N_WEBHOOK_SECRET matches n8n Header Auth credential
404 from webhook

Inactive workflow or wrong path | Activate workflow; verify naming convention |

| Connection refused | Network unreachable | Check topology, ports, firewall | | Trigger script hangs | Missing set -euo pipefail | Add strict error handling; ensure no interactive prompts | | Shell injection | Raw input interpolation | Use urllib.parse.quote or Node.js (no shell expansion) |

Ingress

Symptom	Cause	Fix
403 from Gateway	Token mismatch	Verify INLINECODE33
Infinite echo loop

Missing timeout_seconds: 0 | Add immediately |

| Session not found | Inconsistent user string | Use stable pattern: n8n-workflow-{id} | | DEVICE_AUTH_SIGNATURE_EXPIRED | Clock skew | Sync NTP across hosts | | Skill not loading | Invalid YAML frontmatter | Check for multi-line strings; validate with openclaw skills status |

---

Quick Start Checklist

Egress only:

• - [ ] OpenClaw running (Node.js 22+) with workspace/skill/ directory
• [ ] n8n running with webhook endpoint reachable
• [ ] Webhook secret generated: INLINECODE39
• [ ] Skill directory created with SKILL.md (YAML frontmatter) + scripts/trigger.sh
• [ ] N8N_WEBHOOK_URL and N8N_WEBHOOK_SECRET set in INLINECODE42
• [ ] requires.env and requires.bins declared in YAML frontmatter
• [ ] files: ["scripts/*"] declared in frontmatter
• [ ] Security Manifest Header in trigger.sh
• [ ] set -euo pipefail in trigger.sh
• [ ] Input sanitization via urllib.parse.quote or Node.js
• [ ] n8n workflow created, validated, activated with Header Auth credential
• [ ] Test with manual curl before agent triggers

Add bidirectional:

• - [ ] Gateway /v1/responses enabled in INLINECODE50
• [ ] exec.approval: true configured in gateway
• [ ] soul.md guardrails written
• [ ] timeout_seconds: 0 in all ingress payloads
• [ ] SSH tunnel or Tailscale for cross-network Gateway access

---

Reference Files

• - references/deployment.md — Docker Compose, topologies, env vars
• references/gateway-api.md — Gateway endpoints, WebSocket protocol, payload schemas, telemetry codes
• references/security.md — Proxy pattern, ClawHavoc analysis, credential isolation, safeguard nodes, shell injection mitigation
• references/n8n-claw-architecture.md — n8n-claw paradigm: Supabase schema, RAG pipeline, MCP Builder, Telegram interface
• references/publishing.md — ClawHub publishing pipeline, clawhub CLI, security scan requirements, version management