n8n
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE] (HIGH): The deployment configuration file contains hardcoded default passwords and encryption keys labeled as production-ready.
- Evidence in
examples/n8n_deployment.yaml: N8N_BASIC_AUTH_PASSWORD=secure_password(Line 21)DB_POSTGRESDB_PASSWORD=n8n_password(Line 33)N8N_ENCRYPTION_KEY=your_secret_encryption_key_here(Line 36)- [COMMAND_EXECUTION] (MEDIUM): The skill provides templates for executing arbitrary JavaScript and TypeScript within n8n Code nodes. While this is the primary functionality of n8n, the examples lack input sanitization for data passed to system-level helpers or network requests.
- Evidence in
examples/n8n_workflow_examples.js: Use offetch()andthis.helpers.request()with interpolated variables. - [DATA_EXFILTRATION] (MEDIUM): Several examples demonstrate retrieving credentials via
this.getCredentials()and immediately sending them to external URLs (e.g.,api.example.com). This pattern is a vector for data exfiltration if the target URL is manipulated. - [PROMPT_INJECTION] (LOW): Detected a significant Indirect Prompt Injection surface where the skill processes data directly from an AI Agent without sanitization.
- Ingestion points:
examples/n8n_workflow_examples.js(Line 258) reads directly from$('AI Agent').item.json.response. - Boundary markers: Absent. There are no delimiters or instructions to ignore embedded commands in the processed agent response.
- Capability inventory: The processed state influences the loop termination logic (
state.completed) and workflow state transitions. - Sanitization: Absent. The response is pushed directly into the
contextarray and evaluated using a simple.includes()check.
Recommendations
- AI detected serious security threats
Audit Metadata