feat: Add 7 n8n workflow automation skills #258
Conversation
Added comprehensive n8n workflow automation skills from czlonkowski/n8n-skills: Skills added: - n8n-code-javascript: Write JavaScript in n8n Code nodes - n8n-code-python: Write Python in n8n Code nodes - n8n-expression-syntax: Validate n8n expressions and fix errors - n8n-mcp-tools-expert: Expert guide for using n8n-mcp MCP tools - n8n-node-configuration: Operation-aware node configuration - n8n-validation-expert: Interpret validation errors and fix them - n8n-workflow-patterns: Proven workflow patterns from real n8n workflows All skills work together to help build production-ready n8n workflows using the n8n-mcp MCP server. Source: https://github.com/czlonkowski/n8n-skills License: MIT (Romuald Członkowski, 2025)
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
15 issues found across 38 files
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="cli-tool/components/skills/workflow-automation/n8n/n8n-expression-syntax/README.md">
<violation number="1" location="cli-tool/components/skills/workflow-automation/n8n/n8n-expression-syntax/README.md:22">
P3: File count documentation is inconsistent. The stated '~450 lines total' contradicts the individual file line counts listed later (285 + 380 + 450 = 1,115 lines). Consider updating to reflect actual total.</violation>
</file>
<file name="cli-tool/components/skills/workflow-automation/n8n/n8n-code-python/STANDARD_LIBRARY.md">
<violation number="1" location="cli-tool/components/skills/workflow-automation/n8n/n8n-code-python/STANDARD_LIBRARY.md:469">
P2: The password hashing example uses plain SHA256 without a salt, which is insecure for password storage. The comment "more secure than MD5" could mislead users into thinking this is appropriate for passwords. Consider either: (1) changing the example to hash non-sensitive data like a document checksum, or (2) adding a clear warning that SHA256 alone is not suitable for password storage and that dedicated libraries (bcrypt, etc.) should be used.</violation>
</file>
<file name="cli-tool/components/skills/workflow-automation/n8n/n8n-code-python/SKILL.md">
<violation number="1" location="cli-tool/components/skills/workflow-automation/n8n/n8n-code-python/SKILL.md:30">
P2: Quick Start template uses `datetime.now()` without showing the required import. Add `from datetime import datetime` to make the template complete and runnable.</violation>
<violation number="2" location="cli-tool/components/skills/workflow-automation/n8n/n8n-code-python/SKILL.md:420">
P2: Regex character class `[A-Z|a-z]` contains a literal pipe character instead of alternation. Inside `[]`, the `|` is matched literally. Use `[A-Za-z]` instead.</violation>
</file>
<file name="cli-tool/components/skills/workflow-automation/n8n/n8n-code-javascript/DATA_ACCESS.md">
<violation number="1" location="cli-tool/components/skills/workflow-automation/n8n/n8n-code-javascript/DATA_ACCESS.md:629">
P2: Typo in example code: `input.first()` should be `$input.first()` (missing `$` prefix). This would cause a ReferenceError if copied.</violation>
</file>
<file name="cli-tool/components/skills/workflow-automation/n8n/n8n-code-javascript/BUILTIN_FUNCTIONS.md">
<violation number="1" location="cli-tool/components/skills/workflow-automation/n8n/n8n-code-javascript/BUILTIN_FUNCTIONS.md:182">
P2: Inconsistent with documented behavior: This example accesses `response.statusCode` and `response.body`, but without `resolveWithFullResponse: true`, the response is just the body content (per lines 48-50 and the "Full Response Access" section). Add `resolveWithFullResponse: true` to make this example work correctly.</violation>
</file>
<file name="cli-tool/components/skills/workflow-automation/n8n/n8n-code-javascript/COMMON_PATTERNS.md">
<violation number="1" location="cli-tool/components/skills/workflow-automation/n8n/n8n-code-javascript/COMMON_PATTERNS.md:926">
P2: Division by zero when `topChunks` is empty will result in `NaN`. Consider adding a guard: `topChunks.length ? ... / topChunks.length : 0`.</violation>
<violation number="2" location="cli-tool/components/skills/workflow-automation/n8n/n8n-code-javascript/COMMON_PATTERNS.md:1039">
P2: Division by zero when `allItems` is empty will result in `NaN`. Consider adding a guard: `allItems.length ? ... / allItems.length : 0`.</violation>
</file>
<file name="cli-tool/components/skills/workflow-automation/n8n/n8n-code-javascript/ERROR_PATTERNS.md">
<violation number="1" location="cli-tool/components/skills/workflow-automation/n8n/n8n-code-javascript/ERROR_PATTERNS.md:392">
P2: This documentation is factually incorrect. Single quotes do NOT break double-quoted strings in JavaScript. `"It's a nice day"` is perfectly valid code - single quotes only need escaping inside single-quoted strings.</violation>
<violation number="2" location="cli-tool/components/skills/workflow-automation/n8n/n8n-code-javascript/ERROR_PATTERNS.md:421">
P1: This regex 'fix' is incorrect and changes the semantics. `/\{(\w+)\}/` correctly matches `{word}` patterns. `/\\{(\\w+)\\}/` matches literal backslashes before braces, which is different behavior entirely.</violation>
<violation number="3" location="cli-tool/components/skills/workflow-automation/n8n/n8n-code-javascript/ERROR_PATTERNS.md:436">
P2: Incorrect backslash escaping. `\\\\` produces two backslashes in output, not one. To get `C:\Users\Documents\file.txt`, use `"C:\\Users\\Documents\\file.txt"` (two backslashes per separator, not four).</violation>
</file>
<file name="cli-tool/components/skills/workflow-automation/n8n/n8n-code-javascript/SKILL.md">
<violation number="1" location="cli-tool/components/skills/workflow-automation/n8n/n8n-code-javascript/SKILL.md:62">
P2: Example code has potential division by zero when calculating average on empty array, resulting in `NaN`. Consider adding a guard: `average: allItems.length ? total / allItems.length : 0`. This also ensures the example follows the best practices recommended later in this same document.</violation>
</file>
<file name="cli-tool/components/skills/workflow-automation/n8n/n8n-expression-syntax/EXAMPLES.md">
<violation number="1" location="cli-tool/components/skills/workflow-automation/n8n/n8n-expression-syntax/EXAMPLES.md:87">
P1: SQL injection vulnerability in example. Direct string interpolation into SQL teaches an insecure pattern. Consider using parameterized queries or add a security warning. Example: `$1, $2, $3` placeholders with values array, or at minimum note that this pattern is unsafe for untrusted input.</violation>
</file>
<file name="cli-tool/components/skills/workflow-automation/n8n/n8n-code-python/ERROR_PATTERNS.md">
<violation number="1" location="cli-tool/components/skills/workflow-automation/n8n/n8n-code-python/ERROR_PATTERNS.md:508">
P2: Inconsistent variable name `_json` is not defined in any example. The document consistently uses `_input.first()["json"]` pattern elsewhere, but the checklist references `_json["body"]`. Consider changing to `_input.first()["json"].get("body", {})` for consistency.</violation>
<violation number="2" location="cli-tool/components/skills/workflow-automation/n8n/n8n-code-python/ERROR_PATTERNS.md:566">
P2: Bare `except:` clause catches all exceptions including SystemExit and KeyboardInterrupt. Consider using `except Exception:` or catching specific exceptions like `except (AttributeError, TypeError):` to follow Python best practices.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
|
|
||
| ```javascript | ||
| // ✅ CORRECT: Escape regex properly | ||
| const pattern = /\\{(\\w+)\\}/; |
There was a problem hiding this comment.
P1: This regex 'fix' is incorrect and changes the semantics. /\{(\w+)\}/ correctly matches {word} patterns. /\\{(\\w+)\\}/ matches literal backslashes before braces, which is different behavior entirely.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At cli-tool/components/skills/workflow-automation/n8n/n8n-code-javascript/ERROR_PATTERNS.md, line 421:
<comment>This regex 'fix' is incorrect and changes the semantics. `/\{(\w+)\}/` correctly matches `{word}` patterns. `/\\{(\\w+)\\}/` matches literal backslashes before braces, which is different behavior entirely.</comment>
<file context>
@@ -0,0 +1,763 @@
+
+```javascript
+// ✅ CORRECT: Escape regex properly
+const pattern = /\\{(\\w+)\\}/;
+```
+
</file context>
| const pattern = /\\{(\\w+)\\}/; | |
| const pattern = /\{(\w+)\}/; // Matches {word} - valid regex, escaping may be needed when storing as JSON string |
| INSERT INTO users (user_id, name, email, role, synced_at) | ||
| VALUES ( | ||
| {{$json.data.users[0].id}}, | ||
| '{{$json.data.users[0].name}}', |
There was a problem hiding this comment.
P1: SQL injection vulnerability in example. Direct string interpolation into SQL teaches an insecure pattern. Consider using parameterized queries or add a security warning. Example: $1, $2, $3 placeholders with values array, or at minimum note that this pattern is unsafe for untrusted input.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At cli-tool/components/skills/workflow-automation/n8n/n8n-expression-syntax/EXAMPLES.md, line 87:
<comment>SQL injection vulnerability in example. Direct string interpolation into SQL teaches an insecure pattern. Consider using parameterized queries or add a security warning. Example: `$1, $2, $3` placeholders with values array, or at minimum note that this pattern is unsafe for untrusted input.</comment>
<file context>
@@ -0,0 +1,483 @@
+INSERT INTO users (user_id, name, email, role, synced_at)
+VALUES (
+ {{$json.data.users[0].id}},
+ '{{$json.data.users[0].name}}',
+ '{{$json.data.users[0].email}}',
+ '{{$json.data.users[0].role}}',
</file context>
| data = _input.first()["json"]["body"] | ||
| text = data.get("password", "") | ||
|
|
||
| # Generate SHA256 hash (more secure than MD5) |
There was a problem hiding this comment.
P2: The password hashing example uses plain SHA256 without a salt, which is insecure for password storage. The comment "more secure than MD5" could mislead users into thinking this is appropriate for passwords. Consider either: (1) changing the example to hash non-sensitive data like a document checksum, or (2) adding a clear warning that SHA256 alone is not suitable for password storage and that dedicated libraries (bcrypt, etc.) should be used.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At cli-tool/components/skills/workflow-automation/n8n/n8n-code-python/STANDARD_LIBRARY.md, line 469:
<comment>The password hashing example uses plain SHA256 without a salt, which is insecure for password storage. The comment "more secure than MD5" could mislead users into thinking this is appropriate for passwords. Consider either: (1) changing the example to hash non-sensitive data like a document checksum, or (2) adding a clear warning that SHA256 alone is not suitable for password storage and that dedicated libraries (bcrypt, etc.) should be used.</comment>
<file context>
@@ -0,0 +1,974 @@
+data = _input.first()["json"]["body"]
+text = data.get("password", "")
+
+# Generate SHA256 hash (more secure than MD5)
+sha256_hash = hashlib.sha256(text.encode('utf-8')).hexdigest()
+
</file context>
| # Generate SHA256 hash (more secure than MD5) | |
| # Generate SHA256 hash | |
| # ⚠️ NOTE: Plain SHA256 is NOT secure for password storage! | |
| # For passwords, use dedicated libraries like bcrypt or argon2 with salts. | |
| # This example is only for demonstration of hashlib API usage. |
| ## Quick Start | ||
|
|
||
| ```python | ||
| # Basic template for Python Code nodes |
There was a problem hiding this comment.
P2: Quick Start template uses datetime.now() without showing the required import. Add from datetime import datetime to make the template complete and runnable.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At cli-tool/components/skills/workflow-automation/n8n/n8n-code-python/SKILL.md, line 30:
<comment>Quick Start template uses `datetime.now()` without showing the required import. Add `from datetime import datetime` to make the template complete and runnable.</comment>
<file context>
@@ -0,0 +1,748 @@
+## Quick Start
+
+```python
+# Basic template for Python Code nodes
+items = _input.all()
+
</file context>
| # Basic template for Python Code nodes | |
| # Basic template for Python Code nodes | |
| from datetime import datetime | |
| import re | ||
|
|
||
| items = _input.all() | ||
| email_pattern = r'\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b' |
There was a problem hiding this comment.
P2: Regex character class [A-Z|a-z] contains a literal pipe character instead of alternation. Inside [], the | is matched literally. Use [A-Za-z] instead.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At cli-tool/components/skills/workflow-automation/n8n/n8n-code-python/SKILL.md, line 420:
<comment>Regex character class `[A-Z|a-z]` contains a literal pipe character instead of alternation. Inside `[]`, the `|` is matched literally. Use `[A-Za-z]` instead.</comment>
<file context>
@@ -0,0 +1,748 @@
+import re
+
+items = _input.all()
+email_pattern = r'\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b'
+
+all_emails = []
</file context>
| email_pattern = r'\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b' | |
| email_pattern = r'\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b' |
|
|
||
| ```javascript | ||
| // ✅ CORRECT: Escape backslashes | ||
| const path = "C:\\\\Users\\\\Documents\\\\file.txt"; |
There was a problem hiding this comment.
P2: Incorrect backslash escaping. \\\\ produces two backslashes in output, not one. To get C:\Users\Documents\file.txt, use "C:\\Users\\Documents\\file.txt" (two backslashes per separator, not four).
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At cli-tool/components/skills/workflow-automation/n8n/n8n-code-javascript/ERROR_PATTERNS.md, line 436:
<comment>Incorrect backslash escaping. `\\\\` produces two backslashes in output, not one. To get `C:\Users\Documents\file.txt`, use `"C:\\Users\\Documents\\file.txt"` (two backslashes per separator, not four).</comment>
<file context>
@@ -0,0 +1,763 @@
+
+```javascript
+// ✅ CORRECT: Escape backslashes
+const path = "C:\\\\Users\\\\Documents\\\\file.txt";
+```
+
</file context>
| const path = "C:\\\\Users\\\\Documents\\\\file.txt"; | |
| const path = "C:\\Users\\Documents\\file.txt"; |
| json: { | ||
| total, | ||
| count: allItems.length, | ||
| average: total / allItems.length |
There was a problem hiding this comment.
P2: Example code has potential division by zero when calculating average on empty array, resulting in NaN. Consider adding a guard: average: allItems.length ? total / allItems.length : 0. This also ensures the example follows the best practices recommended later in this same document.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At cli-tool/components/skills/workflow-automation/n8n/n8n-code-javascript/SKILL.md, line 62:
<comment>Example code has potential division by zero when calculating average on empty array, resulting in `NaN`. Consider adding a guard: `average: allItems.length ? total / allItems.length : 0`. This also ensures the example follows the best practices recommended later in this same document.</comment>
<file context>
@@ -0,0 +1,699 @@
+ json: {
+ total,
+ count: allItems.length,
+ average: total / allItems.length
+ }
+}];
</file context>
| average: total / allItems.length | |
| average: allItems.length ? total / allItems.length : 0 |
| current = _input.item | ||
| if current: | ||
| return [{"json": current["json"]}] | ||
| except: |
There was a problem hiding this comment.
P2: Bare except: clause catches all exceptions including SystemExit and KeyboardInterrupt. Consider using except Exception: or catching specific exceptions like except (AttributeError, TypeError): to follow Python best practices.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At cli-tool/components/skills/workflow-automation/n8n/n8n-code-python/ERROR_PATTERNS.md, line 566:
<comment>Bare `except:` clause catches all exceptions including SystemExit and KeyboardInterrupt. Consider using `except Exception:` or catching specific exceptions like `except (AttributeError, TypeError):` to follow Python best practices.</comment>
<file context>
@@ -0,0 +1,601 @@
+ current = _input.item
+ if current:
+ return [{"json": current["json"]}]
+except:
+ pass
+
</file context>
| except: | |
| except Exception: |
| - [ ] **Correct format**: Returns `[{"json": {...}}]` (array with "json" key) | ||
| - [ ] **Safe dictionary access**: Uses `.get()` instead of `[]` for dictionaries | ||
| - [ ] **Safe list access**: Checks length before indexing or uses slicing | ||
| - [ ] **Webhook body access**: Accesses webhook data via `_json["body"]` |
There was a problem hiding this comment.
P2: Inconsistent variable name _json is not defined in any example. The document consistently uses _input.first()["json"] pattern elsewhere, but the checklist references _json["body"]. Consider changing to _input.first()["json"].get("body", {}) for consistency.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At cli-tool/components/skills/workflow-automation/n8n/n8n-code-python/ERROR_PATTERNS.md, line 508:
<comment>Inconsistent variable name `_json` is not defined in any example. The document consistently uses `_input.first()["json"]` pattern elsewhere, but the checklist references `_json["body"]`. Consider changing to `_input.first()["json"].get("body", {})` for consistency.</comment>
<file context>
@@ -0,0 +1,601 @@
+- [ ] **Correct format**: Returns `[{"json": {...}}]` (array with "json" key)
+- [ ] **Safe dictionary access**: Uses `.get()` instead of `[]` for dictionaries
+- [ ] **Safe list access**: Checks length before indexing or uses slicing
+- [ ] **Webhook body access**: Accesses webhook data via `_json["body"]`
+- [ ] **No None returns**: Returns empty array `[]` instead of `None`
+- [ ] **Mode awareness**: Uses `_input.all()`, `_input.first()`, or `_input.item` appropriately
</file context>
| - [ ] **Webhook body access**: Accesses webhook data via `_json["body"]` | |
| - [ ] **Webhook body access**: Accesses webhook data via `_input.first()["json"].get("body", {})` |
|
|
||
| ## File Count | ||
|
|
||
| 4 files, ~450 lines total |
There was a problem hiding this comment.
P3: File count documentation is inconsistent. The stated '~450 lines total' contradicts the individual file line counts listed later (285 + 380 + 450 = 1,115 lines). Consider updating to reflect actual total.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At cli-tool/components/skills/workflow-automation/n8n/n8n-expression-syntax/README.md, line 22:
<comment>File count documentation is inconsistent. The stated '~450 lines total' contradicts the individual file line counts listed later (285 + 380 + 450 = 1,115 lines). Consider updating to reflect actual total.</comment>
<file context>
@@ -0,0 +1,93 @@
+
+## File Count
+
+4 files, ~450 lines total
+
+## Dependencies
</file context>
Added comprehensive n8n workflow automation skills from czlonkowski/n8n-skills:
Skills added:
All skills work together to help build production-ready n8n workflows
using the n8n-mcp MCP server.
Source: https://github.com/czlonkowski/n8n-skills
License: MIT (Romuald Członkowski, 2025)
Summary by cubic
Adds seven n8n workflow automation skills to help build, validate, and configure production-ready workflows with the n8n-mcp server. Covers code nodes (JavaScript/Python), expressions, node configuration, validation, MCP tools, and workflow patterns.
New Features
Dependencies
Written for commit 2ee6f3b. Summary will update on new commits.