n8n-self-hosting
Pass
Audited by Gen Agent Trust Hub on Jun 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to perform administrative operations on a remote Linux server via SSH. These operations include installing the Docker engine, configuring the UFW firewall (permitting SSH, HTTP, and HTTPS), creating project directories (e.g., /opt/n8n), and managing services using Docker Compose. These actions are appropriate for the skill's stated purpose of server deployment.\n- [EXTERNAL_DOWNLOADS]: The skill fetches the Docker installation script from the well-known source
get.docker.com. It also retrieves official container images fromdocker.n8n.io(n8n), Docker Hub (PostgreSQL, Redis), and Caddy's official repository. These sources belong to established technology providers and are considered safe for deployment purposes.\n- [DATA_EXFILTRATION]: The agent is directed to usecurl -s ifconfig.meon the target host to discover its public IP address. This data is used solely for pre-deployment DNS validation to ensure that the user's domain points to the correct server before attempting SSL certificate issuance.\n- [PROMPT_INJECTION]: The skill processes user-provided inputs, such as domain names and timezones, which are interpolated into shell commands on the remote server. This presents an indirect prompt injection surface.\n - Ingestion points: User-provided values for SSH target, Domain, TLS email, and Timezone (SKILL.md).\n
- Boundary markers: No explicit boundary markers or delimiters are instructed for the data interpolation.\n
- Capability inventory: The agent possesses the capability to execute shell commands (e.g., sed, docker, scp) on the remote server (SKILL.md, SECURITY.md).\n
- Sanitization: The skill does not explicitly instruct the agent to sanitize or validate these inputs before they are used in command-line operations.
Audit Metadata