Fragile expression — likely to fail when production data shape differs from test data — These expressions work reliably against test data where all fields are present. In production, fields may be absent, null, or differently typed — causing a runtime error or silent null propagation at the point of the expression.
No output token cap — Missing max-token limits allow unbounded completion length and runaway spend.
Side-effect node has no audit trail — If this action is disputed, replayed, or causes a data inconsistency, there is no structured record of what was sent, when, and with what data. Debugging requires cross-referencing n8n execution history with the external system's own logs.
| Check | Description | Status |
|---|---|---|
| Failure Alerting | Failures silent — only visible in execution log | Missing |
| Retry on Failure | Transient failures cause permanent stops | Present |
| Request Timeouts | Slow providers can block execution indefinitely | Missing |
| Duplicate Prevention | Retry on write events creates duplicate records | Missing |
| Empty Response Handling | Zero-result lookups break downstream logic | Present |
| AI Output Limits | Output cost and parsing risk unbounded | Present |
| AI Output Format | Free-form output will break downstream parsers | Missing |
| Activity Logging | Side effects unlogged | Missing |
| Write Deduplication | Webhook replays may create duplicate records | Missing |
Run this analysis on your own workflows
- Slack: Escalate TP
These expressions work reliably against test data where all fields are present. In production, fields may be absent, null, or differently typed — causing a runtime error or silent null propagation at the point of the expression.
- In `text`, change {{ $json.rule_name }} to {{ $json?.rule_name }}.
- In `text`, change {{ ($json.mitre_techniques || []).map(t => `${t.id} ${t.name}`).join(', ') || 'n/a' }} to {{ ($json?.mitre_techniques || [])?.map(t => `${t?.id} ${t?.name}`)?.join(', ') || 'n/a' }}.
- SIEM Alert Webhook
- LLM Triage (Tier-2 Analyst)
- Respond to SIEM
Webhook senders have hard response timeouts: Slack 3 s, Shopify 5 s, GitHub 10 s, Stripe 30 s. AI calls typically take 10–60 seconds. When the sender times out, it marks the delivery failed and retries — the workflow processes the same event twice, potentially creating duplicate records, emails, or actions.
Respond to the webhook immediately with a 202 Accepted using a Respond to Webhook node placed before the AI work. Move the AI processing to continue asynchronously after the response.
- LLM Triage (Tier-2 Analyst)
- Slack: Escalate TP
- Slack: FP/Benign Digest
A single slow external call can block the entire workflow execution. At high trigger frequency, accumulated stuck executions can exhaust the n8n execution queue.
Set a timeout under the node's Additional Options. A value of 10,000–30,000 ms (10–30 seconds) is a reasonable starting point for most APIs; adjust based on the provider's documented SLA.
- Respond to SIEM
These expressions work reliably against test data where all fields are present. In production, fields may be absent, null, or differently typed — causing a runtime error or silent null propagation at the point of the expression.
- In `responseBody`, change {{ JSON.stringify({ alert_id: $json.alert_id, verdict: $json.verdict, confidence: $json.confidence, mitre_techniques: $json.mitre_techniques ?? [] }) }} to {{ JSON?.stringify({ alert_id: $json?.alert_id, verdict: $json?.verdict, confidence: $json?.confidence, mitre_techniques: $json?.mitre_techniques ?? [] }) }}.
- Normalize Alert
- LLM Triage (Tier-2 Analyst)
- Parse & Validate Verdict
Operators cannot tell from external signals that a run failed. Silent failures go undetected until a downstream system shows missing data or a user reports a problem.
Connect a dedicated Error Workflow in workflow settings, or add a per-node onError: "continueErrorOutput" path that sends an alert via Slack, email, or a logging service.
- Slack: FP/Benign Digest
These expressions work reliably against test data where all fields are present. In production, fields may be absent, null, or differently typed — causing a runtime error or silent null propagation at the point of the expression.
- In `text`, change {{ $json.rule_name }} to {{ $json?.rule_name }}.
- Slack: Needs Analyst Review
These expressions work reliably against test data where all fields are present. In production, fields may be absent, null, or differently typed — causing a runtime error or silent null propagation at the point of the expression.
- In `text`, change {{ $json.rule_name }} to {{ $json?.rule_name }}.
- Slack: Escalate TP
- Slack: FP/Benign Digest
- Slack: Needs Analyst Review
If this action is disputed, replayed, or causes a data inconsistency, there is no structured record of what was sent, when, and with what data. Debugging requires cross-referencing n8n execution history with the external system's own logs.
After the write node, add a step that records the key fields of the action to a log — a Google Sheet row append, a database insert to an audit table, or a Slack message to a dedicated ops channel. Include: timestamp, action type, affected ID, and result.
- SIEM Alert Webhook
- Normalize Alert
- Severity Gate (drop informational)
Webhook providers retry on delivery failure. Without a unique key on the target record, a retried delivery creates a duplicate.
Add a unique field to the write operation using a stable identifier from the webhook payload (event ID, order ID, etc.), or add a read-before-write existence check before the write node.
| # | Issue title | Issue description | Affected nodes | |||
|---|---|---|---|---|---|---|
| 1 | Reliability | AI node blocks synchronous webhook response path | Node "SIEM Alert Webhook" executes in the synchronous response path of the webhook trigger. The webhook trigger's | SIEM Alert Webhook, LLM Triage (Tier-2 Analyst), Respond to SIEM | High | 85% |
| 2 | Reliability | External call with no timeout configured | Node "LLM Triage (Tier-2 Analyst)" makes an external call with no timeout parameter set. The n8n execution will wait indefinitely if the provider is slow or unresponsive. | LLM Triage (Tier-2 Analyst), Slack: Escalate TP, Slack: FP/Benign Digest, Slack: Needs Analyst Review | High | 90% |
| 3 | Security | Finding: webhook no auth | authentication: absent. path: short custom path "__KIPNAI_SAN__WEBHOOK_URL__p7w4FJYj__" (enumerable). downstream write node(s): "Slack: Escalate TP", "Slack: FP/Benign Digest", "Slack: Needs Analyst Review" | SIEM Alert Webhook, Slack: Escalate TP, Slack: FP/Benign Digest, Slack: Needs Analyst Review | High | 90% |
| 4 | Reliability | Fragile expression — likely to fail when production data shape differs from test data | Node "Slack: Escalate TP" contains expression(s) with risky patterns that assume fields are always present. | Slack: Escalate TP | High | 85% |
| 5 | Reliability | No error handler or failure notification path | Workflow has 7 high-risk nodes (external calls or writes) with no configured error workflow and no inline notification path. If a production execution fails, the failure only appears in execution history. | Normalize Alert, LLM Triage (Tier-2 Analyst), Parse & Validate Verdict, Slack: Escalate TP, Slack: FP/Benign Digest, Slack: Needs Analyst Review, Archive: Below Severity Floor | High | 85% |
| 6 | Reliability | AI output drives downstream logic without a structured format | Node "LLM Triage (Tier-2 Analyst)" produces free-form text output that flows into downstream logic with no Output Parser or JSON mode configured. | LLM Triage (Tier-2 Analyst) | Medium | 75% |
| 7 | Reliability | Fragile expression — likely to fail when production data shape differs from test data | Node "LLM Triage (Tier-2 Analyst)" contains expression(s) with risky patterns that assume fields are always present. | LLM Triage (Tier-2 Analyst) | Medium | 75% |
| 8 | Reliability | Fragile expression — likely to fail when production data shape differs from test data | Node "Slack: FP/Benign Digest" contains expression(s) with risky patterns that assume fields are always present. | Slack: FP/Benign Digest | Medium | 75% |
| 9 | Reliability | Fragile expression — likely to fail when production data shape differs from test data | Node "Slack: Needs Analyst Review" contains expression(s) with risky patterns that assume fields are always present. | Slack: Needs Analyst Review | Medium | 75% |
| 10 | Reliability | Fragile expression — likely to fail when production data shape differs from test data | Node "Respond to SIEM" contains expression(s) with risky patterns that assume fields are always present. | Respond to SIEM | Medium | 85% |
| 11 | Observability | Side-effect node has no audit trail | Node "Slack: Escalate TP" performs a write node: "slack: escalate tp" (sideeffect: external_write) operation with no logging or audit trail detected downstream. | Slack: Escalate TP | Medium | 70% |
| 12 | Observability | Side-effect node has no audit trail | Node "Slack: FP/Benign Digest" performs a write node: "slack: fp/benign digest" (sideeffect: external_write) operation with no logging or audit trail detected downstream. | Slack: FP/Benign Digest | Medium | 70% |
| 13 | Observability | Side-effect node has no audit trail | Node "Slack: Needs Analyst Review" performs a write node: "slack: needs analyst review" (sideeffect: external_write) operation with no logging or audit trail detected downstream. | Slack: Needs Analyst Review | Medium | 70% |
| 14 | Reliability | Webhook trigger feeds write operation without unique-key protection | The webhook trigger feeds node "SIEM Alert Webhook" without a visible unique key constraint or deduplication step. No ID field parameter was detected in the write node configuration. | SIEM Alert Webhook, Slack: Escalate TP | Medium | 65% |
| 15 | Reliability | Webhook trigger feeds write operation without unique-key protection | The webhook trigger feeds node "SIEM Alert Webhook" without a visible unique key constraint or deduplication step. No ID field parameter was detected in the write node configuration. | SIEM Alert Webhook, Slack: FP/Benign Digest | Medium | 65% |
| 16 | Reliability | Webhook trigger feeds write operation without unique-key protection | The webhook trigger feeds node "SIEM Alert Webhook" without a visible unique key constraint or deduplication step. No ID field parameter was detected in the write node configuration. | SIEM Alert Webhook, Slack: Needs Analyst Review | Medium | 65% |
| 17 | Reliability | Fragile expression — likely to fail when production data shape differs from test data | Node "Severity Gate (drop informational)" contains expression(s) with risky patterns that assume fields are always present. | Severity Gate (drop informational) | Low | 75% |
| 18 | Reliability | Fragile expression — likely to fail when production data shape differs from test data | Node "Route by Verdict" contains expression(s) with risky patterns that assume fields are always present. | Route by Verdict | Low | 75% |
| 19 | Reliability | Finding: external without retry | Node "LLM Triage (Tier-2 Analyst)" (@n8n/n8n-nodes-langchain.openAi) is a read-only external call with no retry configured.. sideEffect: read_only, role: ai_model_call. Read-only calls are typically safe to retry; enabling retryOnFail improves resilience to transient failures. | LLM Triage (Tier-2 Analyst) | Info | 70% |