N8N Audit Overview
Date: 2026-03-03 Server: OVH2 (15.204.10.51) Repo: OmelasAI/n8n-audit (private)
Scope
Full audit of all N8N workflow automation instances running on the OVH2 development server. The audit covers:
- 4 N8N instances running in Docker containers
- 99 workflows (JSON exports of every workflow)
- ~120 credentials referenced across all workflows
- Security analysis of hardcoded secrets, API keys, and exposed credentials
Methodology
- SSH access to OVH2 via
ssh ovh2(userubuntu, key~/.ssh/ovh2_dev) - Docker exec into each N8N container to export workflows via CLI:
docker exec <container> n8n export:workflow --all --separate --output=/tmp/export/ - Credential metadata exported (names/types/IDs only, not secrets):
docker exec <container> n8n export:credentials --all - JSON analysis of all 99 workflow files for hardcoded secrets, API keys, URLs, and operational flows
- Per-instance documentation with operational descriptions of every workflow
Instance Summary
| Instance | URL | Auth | Workflows | Active | Inactive |
|---|---|---|---|---|---|
| max | https://max.lifeonroatan.net | dev1 / S5a0l3eamas | 25 | 8 | 17 |
| n8n | https://n8n.lifeonroatan.net | proto / fetish503aa | 9 | 2 | 7 |
| n8n-dev1 | https://dev1.lifeonroatan.net | dev1 / S5a0l3eamas | 61 | 26 | 35 |
| n8n-dev2 | https://dev2.lifeonroatan.net | dev2 / S5a0l3eamas2 | 4 | 0 | 4 |
| Totals | 99 | 36 | 63 |
Infrastructure
All 4 instances run on the same Docker host with a shared Caddy reverse proxy and PostgreSQL database.
| Container | Image | Purpose |
|---|---|---|
| max | n8nio/n8n:latest | Max Shipping chatbot (production) |
| n8n | n8nio/n8n:latest | Legacy CMS workflow + tools |
| n8n-dev1 | n8nio/n8n:latest | Primary development sandbox |
| n8n-dev2 | n8nio/n8n:latest | Unused secondary dev |
| caddy | caddy | Reverse proxy + auto-SSL |
| postgres | postgres | Shared database for all instances |
| watchtower | containrrr/watchtower | Auto-updates Docker images |
| python-svc | python-svc:latest | Python service (port 8000) |
| n8n-audio-server | nginx:alpine | Audio file server (port 8081) |
| nocodb | nocodb/nocodb:latest | NocoDB (port 8080) |
| portainer | portainer/portainer-ce | Docker management UI |
| qdrant | qdrant/qdrant | Vector database |
Key Findings
Critical Security Issues (4)
- Exposed OpenAI API key in stateless-hypno-elp workflow JSON
- Exposed Mistral API key in Hypno-elp copy workflow JSON
- Exposed Replicate API key in AI Faceless Video Bearer headers
- Exposed Creatomate API key in AI Faceless Video Bearer headers
High Severity (2)
- Z-API credentials hardcoded — instance ID, token, and client-token embedded in URLs across 5+ workflows instead of using the N8N credential store
- Phone numbers in workflow JSON — real phone numbers embedded in workflow configurations
Medium Severity (2)
- Webhook path conflicts — 5 workflows share
/api/v1/voice-chatpath; 2 active workflows share another webhook path - SQL injection risk — CMS workflow on n8n instance builds queries with string interpolation
Workflow Categories
| Category | Count | Key Workflows |
|---|---|---|
| Max Shipping / Package Tracking | 12 | Max Chatbot Live, MCP Server Live, MaxTracks variants |
| Hypnotherapy AI (Hypno-elp) | 11 | stateless hypno elp, Hypno-elp copy, 5x model analysis |
| YouTube Analysis | 8 | Summarizer, Transcription Analyzer, forms |
| Telegram Chatbots | 5 | Mistral, Qwen, multi-TTS, MCP Client |
| Social Media | 3 | Posting Machine (100 nodes), Social Media Posting, LOR |
| WhatsApp / MCP | 6 | WhatsApp MCP Client/Server, Z-API MCP Server |
| CMS / Admin | 2 | CMS (86 nodes), NocoDB-enhanced Max Shipping |
| Utilities | 6 | Error handling, backup, holiday notifier, TTS, forms |
| Personal Assistant | 4 | Main, Calendar, Gmail Fetcher, WhatsApp prototype |
| Scrapers | 3 | Google Maps email scrapers |
| Test / Scratch | 12 | Various My workflow N, node tests |
GitHub Repository Structure
OmelasAI/n8n-audit/
+-- README.md # Master overview
+-- max/
| +-- README.md # 25 workflows documented
| +-- workflows/ # 25 JSON files
+-- n8n/
| +-- README.md # 9 workflows documented
| +-- workflows/ # 9 JSON files
+-- n8n-dev1/
| +-- README.md # 61 workflows documented (1,688 lines)
| +-- workflows/ # 61 JSON files
+-- n8n-dev2/
+-- README.md # 4 workflows documented
+-- workflows/ # 4 JSON files
External Services Referenced
The workflows collectively connect to these external services:
| Service | Purpose | Instances Using |
|---|---|---|
| OpenAI | Chat, TTS, Whisper, DALL-E, Vision | All 4 |
| Mistral AI | Chat, Voxtral transcription | max, n8n-dev1 |
| Anthropic Claude | Hypnotherapy analysis | n8n-dev1 |
| xAI Grok | Chat, calendar/gmail assistant | n8n-dev1 |
| Alibaba Qwen | Chat (OpenAI-compatible API) | n8n-dev1 |
| Firebase Cloud Functions | Max Shipping package tracking | max, n8n, n8n-dev1 |
| Z-API | WhatsApp messaging | n8n-dev1 |
| ElevenLabs | Text-to-speech | n8n-dev1 |
| Hume AI | Text-to-speech | n8n-dev1 |
| Azure Cognitive Services | Text-to-speech | n8n-dev1 |
| Replicate | Image/video generation (Flux, minimax) | n8n-dev1 |
| Creatomate | Video composition | n8n-dev1 |
| Telegram Bot API | Chatbots | n8n-dev1 |
| Facebook Graph API | Instagram/Facebook posting | n8n-dev1 |
| Google Drive/Sheets/Calendar/Gmail | Various | All 4 |
| Supabase | Backend functions | n8n-dev1 |
| Tactiq/Kome.ai | YouTube transcript extraction | n8n-dev1 |
| NocoDB | Database UI | n8n |
| Cloudflare R2 (S3) | Audio file storage | n8n-dev1 |