Back to skill

Security audit

N8N EVOL I

Security checks across malware telemetry and agentic risk

Overview

This n8n automation skill is coherent, but it has high-impact live-system authority plus under-scoped file-reading and guardrail-bypass behavior that users should review before installing.

Install only if you intend to let an agent modify a real n8n workspace and call the n8n API. Use a dev environment first, review templates for ../ placeholder paths before hydration/deploy, prefer --no-activate or dry-run/force-style workflows where available, keep .env files out of source control, and sanitize error payloads before sending them to Datadog, Sentry, Slack, or Redis.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The resolver rejects absolute paths but does not prevent relative traversal such as `../`, so an attacker-controlled placeholder can cause reads of files outside the intended workspace. Because the file content is inlined into the output, this can expose secrets, source code, SSH keys, environment files, or other sensitive local data accessible to the process.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The document explicitly reveals a special marker (`// @n8n-evol-I:primitive`) that bypasses `validate.py` Code-node safety checks. Even though it warns users not to copy it, publishing the exact bypass mechanism materially lowers the barrier for an agent or user to evade guardrails and introduce unsafe Code nodes under the guise of primitive-compatible content. In this skill context, which is intended to guide workflow construction, disclosing the bypass is more dangerous because it is actionable implementation detail rather than necessary high-level documentation.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
This is a real validation-bypass weakness: the documented behavior says `validate.py` short-circuits as soon as the marker appears as the first non-whitespace characters, so any user-authored Code node can evade the placeholder, purity, and test checks simply by adding the marker. In this skill's context, that is especially dangerous because the harness is explicitly designed to help agents build and modify n8n automation workflows, making it plausible that unreviewed inline code with privileged n8n capabilities could be introduced while still appearing compliant with the documented discipline rule.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The router says to activate for 'anything n8n-related,' which is an overly broad trigger that can cause the skill to take over requests beyond its safe operating boundaries. In practice this increases the chance of the agent applying deployment, credential, or environment-management behaviors when the user only wanted advice, analysis, or unrelated assistance.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill advertises impactful actions including deploy, activation/deactivation, archive/unarchive, resync, credential management, and variable management, but it does not prominently require confirmation, environment verification, or warn about effects on production state and secrets. In a system that can touch live automation infrastructure, missing guardrails materially raises the risk of outages, state corruption, or credential mishandling.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script deploys workflow changes and then activates the workflow by default, which can immediately enable webhooks, schedules, or other trigger-driven automation against a live n8n environment. In an agent-driven or CI context, this creates a real risk of unintended production-side effects, especially because activation is a state-changing operation performed without an explicit confirmation or opt-in.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The list-link path parses a --dry-run flag but never checks it before mutating and saving the environment YAML, so an operator can reasonably expect a non-destructive preview yet still have credential bindings persisted. In automation tooling that manages deployment state, this can silently alter configuration, causing accidental credential relinking or configuration drift that may affect later runs.

Vague Triggers

Medium
Confidence
90% confidence
Finding
This workflow is bound to a global error trigger and performs queue cleanup actions whenever a workflow error occurs, but the file does not show any gating to restrict execution to only the intended queue-processing workflows or environments. In a multi-workflow automation system, that broad scope can cause unrelated workflow failures to trigger Redis permit cleanup, corrupting queue state and releasing permits that should remain held.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example sends workflow names, node names, execution URLs, and raw error messages to Datadog, which can easily include secrets, tokens, payload fragments, or customer data from failed executions. In an automation platform context, error handlers often process production failures, so transmitting these fields off-system without explicit minimization and warning creates a real data-exposure risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The logs example promotes use of identifiers such as user_id and tenant_id for tagging/triage, and Datadog tags are indexed and retained for search, which increases privacy and compliance exposure. Even though the doc notes not to put PII in tags, the surrounding guidance still normalizes high-cardinality identity tagging without strong guardrails, making misuse likely.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation explicitly tells users to paste a live Notion integration secret into an environment file but does not mention that the token is sensitive, should not be committed to source control, and should be handled via secure secret-management practices. In an agent-driven automation workflow, this omission increases the chance of accidental leakage through repo commits, logs, shared workspaces, or handoff artifacts, which could allow unauthorized access to Notion content available to the integration.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly instructs sending workflow error content, tags, execution identifiers, workflow names, node names, and execution URLs to a third-party Sentry endpoint, but it does not include guidance on minimizing, redacting, or warning about sensitive data disclosure. In this skill context, error messages and workflow metadata can easily contain secrets, personal data, tenant identifiers, internal URLs, or operational details, so the omission creates a real privacy and data-governance risk even if the integration itself is technically valid.

Ssd 3

Medium
Confidence
84% confidence
Finding
The guidance says not to place PII in tags but suggests putting it in event text instead, which still exports personal data to a third-party observability system and may be retained, searchable, or broadly accessible. This is a security/privacy anti-pattern because it shifts sensitive data to a different field rather than discouraging collection and transmission altogether.

Unpinned Dependencies

Low
Category
Supply Chain
Content
fastapi>=0.110
uvicorn[standard]>=0.27
Confidence
95% confidence
Finding
fastapi>=0.110

Known Vulnerable Dependency: dspy — 1 advisory(ies): CVE-2025-12695 (DSPy does not properly restrict file reads)

Low
Category
Supply Chain
Confidence
77% confidence
Finding
dspy

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
skills/patterns/llm-providers.md:23