n8n
Pass
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill is configured to use
curlas its primary execution command and provides complex shell script examples inAPI_REFERENCE.md. These examples include loops and the use ofjqto process API responses and automate actions across multiple workflows. - [DATA_EXFILTRATION]: The skill facilitates the transfer of data between the local environment and an external n8n host. While intended for management, this capability allows the agent to transmit the
N8N_API_KEYand other sensitive environment variables to the configured$N8N_HOST. - [DATA_EXPOSURE]: The skill specifically includes endpoints for the n8n Credentials API. This allows the agent to list and retrieve details of credentials (such as API tokens for third-party services like Slack) stored within the n8n platform, representing a significant access level to the user's secrets management layer.
- [INDIRECT_PROMPT_INJECTION]: The skill interacts with external data sources that may be attacker-controlled.
- Ingestion points: Data enters the agent context via
GET /api/v1/workflowsandGET /api/v1/executionswhich fetch workflow names, node configurations, and execution logs from the n8n host. - Boundary markers: The instructions lack explicit delimiters or warnings to the agent to ignore instructions embedded within the retrieved data.
- Capability inventory: The skill has the capability to execute shell commands (
curl), delete resources on the n8n host, and trigger arbitrary workflows. - Sanitization: There is no evidence of sanitization or validation of the data retrieved from the API before it is processed by the agent.
Audit Metadata