n8n-agents

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.95). The required runtime path for this skill is the n8n Agent node consuming the chat/webhook input text (e.g., text: '={{ $json.userMessage }}' / chatInput: '={{ $('Slack Trigger').item.json.text }}') which is outsider-authored free text from the external chat surface (Slack/Discord/Teams/Telegram/webhook caller) and is fed into the LLM context as the agent’s prompt.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The workflow explicitly fetches a live Notion database schema at runtime (the "Get a database" node) and templates its JSON into the agent's system prompt—i.e., runtime content from the Notion API (https://api.notion.com) directly controls the agent's instructions.