n8n_workflows

Critical security risks identified: 1. **Hardcoded Secrets**: Multiple workflow files contain hardcoded API keys (e.g., NYT Article Search, FireCrawl, EODHD, Brave Search). These sensitive credentials are exposed in the source code, posing a significant vulnerability. 2. **Potential XSS in HTML Generation**: Workflows that generate HTML content (e.g., for emails) from dynamic data (e.g., `postgres_api_workflow_with_email-postgres.json`, `url-parsing-and-email-generation-.json`, `firecrawl_webscraping-.json`, `html-newsletter-with-real-time-data-.json`) do not appear to sanitize inputs before embedding them. If malicious content is injected into data sources, it could lead to Cross-Site Scripting (XSS) in email clients or rendered HTML outputs. 3. **Dynamic Workflow Execution**: The `build-your-own-n8n-workflows-mcp-server-.json` workflow allows AI agents to execute other N8N workflows by ID. While attempts are made to manage an 'available' list, this introduces a complex trust boundary. A compromised or maliciously prompted AI agent could potentially execute unintended or harmful workflows, bypassing their `availableInMCP: false` settings. The reliance on `workflowInputs` without strict validation could allow arbitrary parameter injection. 4. **Exposed Admin Interface**: PgAdmin is exposed on `localhost:5050` by default. While not publicly exposed in a standard Docker setup, if the host machine has public access, this becomes a direct attack vector to the PostgreSQL database. 5. **Sensitive Information in Logs**: Depending on the workflow execution and error handling, sensitive data or API responses might be inadvertently logged.