qe-n8n-security-testing

This skill is a coherent n8n security-testing tool whose capabilities match its stated purpose: scanning workflows and logs for secrets, verifying encryption/rotation, exercising OAuth refreshes, testing webhook authentication and input sanitization, and scanning expressions for dangerous constructs. The primary risks are contextual and operational: it requires privileged access to workflows, credentials metadata, and execution logs; it issues network requests to arbitrary webhook URLs (which could be attacker-controlled if misused); it sends crafted/malicious payloads (including a 10MB payload and command-injection-like strings) which must only be used against authorized targets; and findings may include sensitive substrings unless the reporting pipeline redacts them. I find no direct signs of embedded malware or supply-chain download-execute patterns in the provided code fragment, but the missing implementations of helper functions are critical — those must be reviewed to ensure they do not forward secrets or log findings to untrusted endpoints.