n8n-best-practices
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill recommends setting the environment variable
NODE_FUNCTION_ALLOW_BUILTIN=*. This configuration disables default sandbox restrictions in n8n, allowing Code nodes to load any Node.js built-in module, includingchild_processandfs, which can be used to execute arbitrary system commands or access sensitive files. - [DATA_EXFILTRATION]: The documentation advises setting
N8N_BLOCK_ENV_ACCESS_IN_NODE=false, permitting n8n Code nodes to access environment variables that may contain sensitive credentials. It also provides bash script examples for extracting API keys from.env.localfiles usinggrepandcutoperations. - [PROMPT_INJECTION]: The skill documents an indirect prompt injection surface where untrusted data is processed with high-privilege capabilities.
- Ingestion points: Untrusted data enters the agent context through the
$inputobject in n8n Code nodes as described in the code snippets. - Boundary markers: The examples provided contain no boundary markers or instructions to ignore embedded instructions.
- Capability inventory: High, as the skill explicitly encourages configurations that enable system-level command execution and file system access.
- Sanitization: There is no evidence of sanitization or validation of external content before processing in the provided patterns.
Audit Metadata