n8n-expression-testing
Warn
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The logic snippets in
SKILL.md(specificallytestExpressionandvalidateExpressionSyntax) demonstrate the use of thenew Function()constructor to evaluate string-based n8n expressions. This pattern allows for arbitrary code execution within the agent's environment, as any valid JavaScript code contained within the expression markers will be executed when the test function is called. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because its primary function involves processing and executing expressions that may originate from external, untrusted sources such as workflow files or pull requests.
- Ingestion points: Expressions and context data (
$json,$node) processed by the evaluation logic described inSKILL.md. - Boundary markers: The skill relies on standard template markers (
{{ }}), which do not provide security isolation or prevent the execution of malicious payloads. - Capability inventory: The skill possesses the capability to execute JavaScript code via the
new Functionconstructor. - Sanitization: There is no evidence of sandboxing, restricted execution environments (like a VM), or robust input sanitization to prevent malicious code from accessing the underlying system during the evaluation process.
Audit Metadata