n8n-mcp-orchestrator

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's MCP Client patterns and examples (e.g., the "Gather Research Data" workflow and MCP Client Tool configurations) explicitly fetch content from external public sources such as Google Scholar, News APIs, competitor blogs and social data which Claude/n8n are expected to read and use in workflows, exposing the agent to untrusted third-party/user-generated content that could enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill includes runtime MCP client calls to external MCP servers (e.g., https://api.anthropic.com/mcp/v1 and example endpoints like https://analytics.company.com/mcp or https://ml.company.com/mcp) which are invoked during workflow execution to run remote tools/logic and thus can directly execute code or control agent behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly includes payment-related tools and integrations. It shows a concrete process_payment tool call (mcpCall('n8n','process_payment', {orderId, amount: order.total})) and references an external payments system (e.g., Stripe webhook) in event-driven patterns. Those are specific examples of payment gateway handling and transaction processing rather than generic tooling, so the skill grants direct financial execution capability.