The Agent Skills Directory

PROMPT_INJECTION (HIGH): The AI Agent template (assets/templates/workflows/ai-agent-basic.json) is vulnerable to indirect prompt injection due to its architecture.
Ingestion points: Untrusted user data enters the agent context through the Chat Trigger node.
Boundary markers: No delimiters (e.g., XML tags or triple quotes) or specific instructions are provided to the agent to differentiate between system instructions and user-supplied data.
Capability inventory: The agent has access to two high-privilege tools: Code Tool (JavaScript execution via @n8n/n8n-nodes-langchain.toolCode) and HTTP Request Tool (network operations via @n8n/n8n-nodes-langchain.toolHttpRequest).
Sanitization: There is no logic present to sanitize or filter input before it is processed by the model.
COMMAND_EXECUTION (MEDIUM): Several templates (lead-capture-crm.json, scheduled-report.json, whatsapp-bot.json) utilize n8n 'Code' nodes to execute JavaScript for data transformation. While this is core functionality for n8n, executing logic on data received from public webhooks without rigorous validation is a known risk factor.
DATA_EXFILTRATION (LOW): Multiple templates perform egress network operations to external endpoints such as graph.facebook.com, api.payplus.co.il, and environment-defined URLs like $env.CRM_API_URL. These are standard integration patterns, but users should ensure these destination URLs are strictly controlled via environment variables.
CREDENTIALS_UNSAFE (SAFE): Analysis of the 19 files shows no hardcoded secrets. The templates correctly use placeholders (e.g., YOUR_TOKEN, YOUR_CREDENTIAL_ID) or environment variable references ($env.API_KEY), and the included validate_before_deploy.py script specifically checks for and warns against hardcoded credentials.

n8n-workflow-builder