n8n-development
Fail
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill recommends installing a third-party tool 'n8n-cli' via a piped shell script ('curl | sh') from 'raw.github.com/edenreich', which is an untrusted third-party source. This pattern allows for arbitrary remote code execution.
- [EXTERNAL_DOWNLOADS]: Fetches installation scripts from an unverified third-party GitHub repository ('edenreich/n8n-cli'). While references to the official 'n8nio/n8n' Docker image are documented as part of the service's normal operation, the community-maintained tool lacks established trust.
- [COMMAND_EXECUTION]: The skill instructions involve executing powerful system commands including 'docker exec', 'docker compose', and 'uv run', which provide extensive control over the host environment and containerized services.
- [PROMPT_INJECTION]: Indirect prompt injection surface identified. 1. Ingestion points: Reads n8n workflow JSON files from 'nathan/workflows/'. 2. Boundary markers: No markers or instructions to ignore embedded commands are present. 3. Capability inventory: Able to run subprocesses, manage Docker containers, and perform network operations via 'httpx'. 4. Sanitization: No sanitization is performed on 'jsCode' blocks or other executable segments within the ingested JSON files.
Recommendations
- AI detected serious security threats
Audit Metadata