n8n workflow safety Import slowly

Audit n8n workflow JSON before you activate it.

Workflow packs are useful. Blind imports are not.

This importable n8n workflow scans exported workflow JSON for risky nodes, possible secrets, missing error handling, and AI-to-outbound paths without an obvious approval step.

Download JSON -> Open n8n hub
audit/imported-workflow

$ verdict

do_not_activate_yet

$ rule

import slowly. audit first. activate last.

What it checks

A first-pass audit for workflow JSON.

Check

possible hardcoded secrets and token-shaped strings

Check

automatic triggers like webhook, schedule, and cron

Check

email, social, Slack, Telegram, Discord, payment, and database-write nodes

Check

HTTP Request nodes with inline auth or token-looking headers

Check

Code nodes using fetch, axios, eval, or dynamic execution patterns

Check

missing Error Trigger or obvious error workflow

Check

large workflows with no Sticky Notes

Check

AI/LLM nodes connected to outbound actions without an approval step

Why this exists

The n8n ecosystem has a lot of free templates, GitHub repos, and workflow packs. Some are excellent. Some are old, undocumented, or wired to actions you should inspect before activating.

This workflow does the boring first pass: parse the JSON, scan for risky patterns, and return a verdict before you trust the import.

What it returns

  • risk_score: 0-100 score based on finding severity.
  • verdict: safe_to_inspect, needs_manual_review, or do_not_activate_yet.
  • findings: node-level issues and evidence.
  • suggested_fixes: plain-language next steps before activation.

What it is not

This is not a complete security scanner. It will miss obfuscated secrets, custom-node behavior, and runtime-only risks. It is a first-pass audit before activation, not a replacement for reading the workflow.

The rule

Claude/Codex builds. n8n runs. Human approves. For workflows you did not write yourself: import slowly, audit first, activate last.

Use the AI agent workflow safety checklist when the workflow touches publishing, customers, money, production, or private data.

FAQ

What is the n8n Workflow JSON Auditor?

It is an importable n8n workflow that scans exported workflow JSON before activation and flags risky triggers, possible secrets, outbound action nodes, missing error handling, and AI-to-action paths without an approval step.

Is this a complete n8n security scanner?

No. It is a first-pass workflow audit. It helps you slow down before activating an imported workflow, but you still need to inspect credentials, custom nodes, runtime behavior, and business logic yourself.

How do I use the auditor?

Download the JSON, import it into n8n, open the paste node, paste the workflow JSON you want to inspect, run the workflow manually, then review the verdict and suggested fixes before activating the imported workflow.

What does do_not_activate_yet mean?

It means the workflow contains enough risk signals that you should not activate it blindly. Read the findings, remove secrets, inspect risky nodes, add error handling, and add human approval before public, customer-facing, financial, or production actions.