n8n
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly vulnerable to indirect prompt injection from data ingested via the n8n API. \n
- Ingestion points: Workflow JSON, node code scripts, and execution data (including error messages and results) are retrieved and processed by the agent. \n
- Boundary markers: No delimiters or isolation instructions are provided to separate system instructions from untrusted data fetched from the external n8n instance. \n
- Capability inventory: The agent's access to
Bash(viauvx),Write, andReadtools allows an injected instruction in a workflow or execution record to potentially execute malicious code or overwrite sensitive files. \n - Sanitization: No evidence of sanitization or validation of the data returned by the n8n API. \n- REMOTE_CODE_EXECUTION (HIGH): The skill relies on
uvx n8n-clientfor all its functionality. This involves downloading and running code from an unverified third-party PyPI package (n8n-clientby userpokgak), which is not in the list of trusted organizations. \n- EXTERNAL_DOWNLOADS (MEDIUM): Operational commands trigger dynamic downloads of then8n-clientpackage. While PyPI is a standard registry, the package source itself is unverifiable. \n- COMMAND_EXECUTION (LOW): The skill requires theBashtool to interact with the n8n CLI, which increases the impact of other vulnerabilities such as prompt injection.
Recommendations
- AI detected serious security threats
Audit Metadata