n8n-code-javascript
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: All files within the skill contain documentation and code templates for legitimate development tasks in n8n. No malicious logic, prompt injections, or obfuscated contents were identified.
- [DATA_EXPOSURE_AND_EXFILTRATION]: The skill provides instructions for network operations using the
$helpers.httpRequest()method. These examples are documented for standard integration purposes, use non-sensitive placeholder domains, and correctly advocate for the use of environment variables for authentication tokens instead of hardcoding credentials. - [INDIRECT_PROMPT_INJECTION]: The skill documents how to process data from external sources, identifying a potential vulnerability surface.
- Ingestion points: Data enters the workflow via
$input.all(),$input.first(), and$helpers.httpRequest()as described inDATA_ACCESS.mdandBUILTIN_FUNCTIONS.md. - Boundary markers: Not defined in the instructional templates.
- Capability inventory: Logic can perform network requests, access persistent storage via
$getWorkflowStaticData(), and use thecryptomodule. - Sanitization: The skill provides clear instructions and patterns for input validation and null checking in
ERROR_PATTERNS.mdandSKILL.mdto mitigate risks from malformed data. - [DYNAMIC_EXECUTION]: The skill facilitates the generation of JavaScript for n8n Code nodes, which is its primary intended function. The documentation provides safe, production-tested patterns for data transformation and aggregation.
Audit Metadata