Javier Rieiro This workflow corresponds to n8n.io template #10801 — we link there as the canonical source.
This workflow follows the Agent → Form Trigger recipe pattern — see all workflows that pair these two integrations.
The workflow JSON
Copy or download the full n8n JSON below. Paste it into a new n8n workflow, add your credentials, activate. Full import guide →
{
"meta": {
"templateCredsSetupCompleted": true
},
"nodes": [
{
"id": "b2d667b2-79bf-4735-b053-21247331b94e",
"name": "Form",
"type": "n8n-nodes-base.formTrigger",
"position": [
256,
-1440
],
"parameters": {
"options": {},
"formTitle": "AI-Powered Code Analyzer",
"formFields": {
"values": [
{
"fieldLabel": "Single File URL",
"placeholder": "https://raw.githubusercontent.com/Py-Us3r/PyHT-Python-Hacking-Toolkit/refs/heads/main/main.py"
},
{
"fieldType": "checkbox",
"fieldLabel": "AI-Powered Code Analyzer",
"fieldOptions": {
"values": [
{
"option": "AI JavaScript Expert"
},
{
"option": "AI PHP Expert"
},
{
"option": "AI Python Expert"
}
]
},
"requiredField": true
}
]
},
"formDescription": "Only one option can be selected from the three: (GitHub Repository, Domain To Crawl, Single File URL)."
},
"typeVersion": 2.3
},
{
"id": "2b9de0ad-57ef-4bc0-9cbb-2f6d64fbb392",
"name": "JavaScript Expert Agent (Single URL)",
"type": "@n8n/n8n-nodes-langchain.agent",
"onError": "continueRegularOutput",
"position": [
1184,
-1952
],
"parameters": {
"text": "={{ $('Form').item.json['Single File URL'] }}",
"options": {
"systemMessage": "=Eres un agente automatizado de auditor\u00eda de seguridad con 20 a\u00f1os de experiencia en ciberseguridad y especialidad en JavaScript. Sigue estas reglas sin excepci\u00f3n.\n\nEntrada: lista de URLs .js proporcionadas por el usuario. Nunca acceder a URLs fuera de esa lista.\n\nObjetivo: detectar \u00fanicamente vulnerabilidades explotables en cada archivo .js y reportarlas en JSON exacto (esquema abajo). No expliques nada. No incluyas payloads, pasos de explotaci\u00f3n, recomendaciones ni metadatos adicionales.\n\nProcedimiento:\n\nHacer HTTP GET.\n\nSi status != 200 o body vac\u00edo \u2192 registrar internamente y continuar.\n\nTruncar body a 20000 bytes si es mayor.\n\nParsear JS (AST + regex heur\u00edsticos).\n\nDetectar vulnerabilidades explotables: DOM XSS, reflected XSS, stored XSS, RCE v\u00eda eval/new/Function, insecure deserialization, CSRF en llamadas AJAX sin token, info-leak de secretos, insecure use of innerHTML/outerHTML/document.write with untrusted input, insecure direct object refs in client logic. Priorizar hallazgos con evidencia de cadena de flujo taint (entrada \u2192 sink).\n\nPara cada hallazgo generar evidencia m\u00ednima: fragmento de c\u00f3digo y n\u00famero de l\u00ednea(s).\n\nParar cuando: todas las URLs procesadas, alcanzado max_iteraciones o timeout_total.\n\nL\u00edmites operativos:\n\nmax_iteraciones: 50\n\ntasa: <= 5 requests/s\n\ntimeout por request: 10s\n\ntimeout_total ejecuci\u00f3n: 300s\n\ncheckpoint_interval: 5\n\ntama\u00f1o m\u00e1ximo por item: 20000 bytes (truncar)\n\nReglas firmes:\n\nNunca usar credenciales encontradas.\n\nTodos los resultados deben ser \u00fanicos y distintos de la entrada.\n\nNo devolver nada fuera del JSON final.\n\nSi la solicitud es ilegal u ofensiva, rechazar y devolver JSON vac\u00edo: {\"results\": []}.\n\nFormato de salida obligatorio (exacto, sin a\u00f1adidos):\n{\n\"results\": [\n{\n\"url\": \"<filename_or_url>\",\n\"code\": \"<breve: linea(s) y fragmento>\",\n\"severity\": \"medium|high|critical\",\n\"vuln\": \"<tipo de vulnerabilidad ejemplo (DOM XSS)>\"\n}\n]\n}\n\nSalida final: \u00fanica respuesta JSON v\u00e1lida que contenga solo el objeto anterior. Reportar \u00fanicamente vulnerabilidades explotables. Nada m\u00e1s."
},
"promptType": "define"
},
"typeVersion": 2.2
},
{
"id": "1a4de4a3-62df-416a-bf5f-6a734456a7ba",
"name": "OpenAI JavaScript (Single URL)",
"type": "@n8n/n8n-nodes-langchain.lmChatOpenAi",
"position": [
1136,
-1792
],
"parameters": {
"model": {
"__rl": true,
"mode": "list",
"value": "gpt-4.1-mini"
},
"options": {}
},
"credentials": {
"openAiApi": {
"name": "<your credential>"
}
},
"typeVersion": 1.2
},
{
"id": "2c7a82e2-8621-47d1-ad13-7bf2040f0a92",
"name": "HTTP Request JavaScript (Single URL)",
"type": "n8n-nodes-base.httpRequestTool",
"position": [
1376,
-1792
],
"parameters": {
"url": "={{ $('Form').item.json['Single File URL'] }}",
"options": {
"timeout": 20000
}
},
"typeVersion": 4.2
},
{
"id": "1927e2e7-c928-4f1f-9544-a992d4f0a2db",
"name": "Prettify JavaScript Results (Single URL)",
"type": "n8n-nodes-base.code",
"onError": "continueRegularOutput",
"position": [
1600,
-1952
],
"parameters": {
"jsCode": "return items.map(item => {\n let raw = item.json.output;\n\n try {\n if (typeof raw === 'string') {\n raw = raw.trim();\n if (raw.startsWith('{') === false) {\n raw = raw.replace(/^\"+|\"+$/g, '').replace(/\\\\\"/g, '\"');\n }\n raw = JSON.parse(raw);\n }\n } catch (err) {\n return {\n json: { error: 'Invalid JSON input', message: err.message, raw: item.json.output }\n };\n }\n\n return {\n json: raw\n };\n});\n"
},
"typeVersion": 2
},
{
"id": "2996701f-4618-45f5-9fb6-71ff9fa15f96",
"name": "Split JavaScript Expert Results (Single URL)",
"type": "n8n-nodes-base.splitOut",
"position": [
1824,
-1952
],
"parameters": {
"options": {},
"fieldToSplitOut": "results"
},
"typeVersion": 1
},
{
"id": "0ffc6d63-d2af-458b-8640-0d00de0d230b",
"name": "Remove JavaScript Empty Results (Single URL)",
"type": "n8n-nodes-base.filter",
"onError": "continueRegularOutput",
"position": [
2032,
-1952
],
"parameters": {
"options": {},
"conditions": {
"options": {
"version": 2,
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"id": "cf2d9759-b91c-451f-b830-5f33d0c38fee",
"operator": {
"type": "string",
"operation": "exists",
"singleValue": true
},
"leftValue": "={{ $json.url }}",
"rightValue": ""
}
]
}
},
"typeVersion": 2.2
},
{
"id": "17dd4580-e1b6-42ae-9b2b-e369b5e75593",
"name": "Create HTML Table JavaScript (Single URL)",
"type": "n8n-nodes-base.html",
"position": [
2240,
-1952
],
"parameters": {
"options": {
"capitalize": true
},
"operation": "convertToHtmlTable"
},
"typeVersion": 1.2
},
{
"id": "3109c99e-aecd-4f08-a6fa-800b48e594f6",
"name": "Create HTML Template JavaScript (Single URL)",
"type": "n8n-nodes-base.html",
"position": [
2464,
-1952
],
"parameters": {
"html": "<style>\ntable {\n width: 100%;\n border-collapse: collapse;\n font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;\n box-shadow: 0 4px 20px rgba(0,0,0,0.1);\n border-radius: 10px;\n overflow: hidden;\n}\n\nthead th {\n background-color: #1f78d1;\n color: #ffffff;\n text-align: left;\n padding: 12px 15px;\n font-size: 14px;\n letter-spacing: 0.5px;\n}\n\ntbody tr {\n background-color: #ffffff;\n transition: background-color 0.3s ease;\n}\n\ntbody tr:nth-child(even) {\n background-color: #f4f6f8;\n}\n\ntbody tr:hover {\n background-color: #e1efff;\n}\n\ntbody td {\n padding: 12px 15px;\n font-size: 13px;\n color: #333333;\n border-bottom: 1px solid #e0e0e0;\n}\n\ntbody tr:last-child td {\n border-bottom: none;\n}\n\n@media screen and (max-width: 768px) {\n table {\n display: block;\n overflow-x: auto;\n white-space: nowrap;\n }\n}\n</style>\n\n{{ $json.table }}"
},
"typeVersion": 1.2
},
{
"id": "e2399b44-f2d3-4148-8132-f1c7039353b7",
"name": "PHP Expert Agent (Single URL)",
"type": "@n8n/n8n-nodes-langchain.agent",
"onError": "continueRegularOutput",
"position": [
1168,
-1440
],
"parameters": {
"text": "={{ $('Form').item.json['Single File URL'] }}",
"options": {
"systemMessage": "=Eres un agente automatizado de auditor\u00eda de seguridad con 20 a\u00f1os de experiencia en ciberseguridad y especialidad en PHP. Sigue estas reglas sin excepci\u00f3n.\n\nEntrada: URL .php proporcionada por el usuario. Nunca acceder a URLs fuera de esa lista ni ejecutar c\u00f3digo remoto o local. S\u00f3lo an\u00e1lisis est\u00e1tico de los cuerpos que se obtengan por HTTP GET.\n\nObjetivo: detectar **\u00fanicamente** vulnerabilidades explotables en el archivo .php y reportarlas en JSON exacto (esquema abajo). **No expliques nada**. No incluyas payloads, pasos de explotaci\u00f3n, recomendaciones ni metadatos adicionales.\n\nProcedimiento:\n\n1. Hacer la petici\u00f3n.\n * Hacer HTTP GET (solo a las URLs en la lista).\n * Si `status != 200` o body vac\u00edo \u2192 registrar internamente y continuar con la siguiente URL.\n * Truncar body a 20000 bytes si es mayor.\n * Parsear PHP (AST est\u00e1tico cuando sea posible + heur\u00edsticos por regex).\n * Detectar **vulnerabilidades explotables** (ver lista abajo). Priorizar hallazgos que incluyan evidencia de **cadena de flujo taint** (entrada \u2192 sink).\n * Para cada hallazgo generar evidencia m\u00ednima: fragmento de c\u00f3digo y n\u00famero(s) de l\u00ednea.\n2. Guardar checkpoint cada `checkpoint_interval` iteraciones (estado interno).\n3. Parar cuando: todas las URLs procesadas, alcanzado `max_iteraciones` o `timeout_total`.\n\nVulnerabilidades a detectar (no exhaustivo; centrarse en hallazgos explotables):\n\n* SQL Injection (uso de `mysqli_query`, `PDO->query`, concatenaci\u00f3n en consultas sin prepared statements).\n* Remote/Local File Inclusion (RFI/LFI) via `include`, `require`, `include_once`, `require_once` con input controlable.\n* Command Injection / RCE v\u00eda `exec`, `system`, `passthru`, `shell_exec`, backticks (`` `cmd` ``), `popen`, `proc_open`.\n* Unsafe `eval`, `create_function`, `preg_replace` con la bandera `/e`, `assert()` con input, `eval()` en general.\n* Insecure deserialization (`unserialize` on untrusted input, `__wakeup`/`__destruct` gadget chains evidence).\n* Unsafe file operations: `file_put_contents`, `move_uploaded_file`, `fopen`, `fwrite` con rutas controlables (path traversal).\n* Insecure file uploads (no valid mime/type checks, control del nombre del archivo, extensi\u00f3n permitida por input).\n* Cross-Site Scripting (reflected/stored) en outputs no escapados (echo/print/printf/?> ... <?php) con input directo.\n* CSRF: formularios o endpoints que cambian estado sin token/CSRF protection detectable en c\u00f3digo cliente/servidor.\n* Information leakage: exposici\u00f3n de credenciales/keys/secrets en c\u00f3digo fuente o logs (reportar solo si evidencia clara).\n* Insecure cookie/session handling: falta de `HttpOnly`/`Secure`/`SameSite`, uso inseguro de `session_start()` sin regenerar ID en privilegio escalation flows.\n* Header injection via `header()` con input no sanitizado.\n* Insecure use of `file_get_contents`, `fopen` con URL wrappers (`http://`, `php://`) sobre input no fiable.\n* Unsafe use of `extract($_REQUEST|$_GET|$_POST)` or `foreach($_REQUEST as ...)` que introducen variables controlables.\n* Unsafe dynamic includes/variable variables (`$$var`) y construcciones que permiten control de rutas o nombres de funciones.\n* Insecure direct object references (ID manipulation) detectables en l\u00f3gica cliente/servidor.\n* Cualquier otra construcci\u00f3n en PHP que permita flujo explotable desde entrada (GET/POST/Cookie/Headers) hacia un sink cr\u00edtico.\n\nEvidencia requerida por hallazgo:\n\n* `\"code\"` debe contener **breve** evidencia: l\u00ednea(s) y fragmento de c\u00f3digo que muestre la relaci\u00f3n entrada\u2192sink (por ejemplo: `45: $q = \"SELECT ...\". $_GET['id']; mysqli_query($conn, $q);`).\n* Debe incluir n\u00fameros de l\u00ednea precisos relativos al cuerpo analizado (si se trunc\u00f3, l\u00ednea contigua aproximada).\n* No incluir payloads ni instrucciones de explotaci\u00f3n.\n\nL\u00edmites operativos:\n\n* `max_iteraciones`: 50\n* tasa: <= 5 requests/s\n* timeout por request: 10s\n* timeout_total ejecuci\u00f3n: 300s\n* `checkpoint_interval`: 5\n* tama\u00f1o m\u00e1ximo por item: 20000 bytes (truncar)\n\nReglas firmes:\n\n* Nunca ejecutar el c\u00f3digo PHP obtenido ni incluir/require recursos remotos.\n* Nunca usar credenciales encontradas.\n* Todos los resultados deben ser \u00fanicos y distintos de la entrada.\n* No devolver nada fuera del JSON final.\n* Si la solicitud es ilegal u ofensiva, rechazar y devolver JSON vac\u00edo: `{\"results\": []}`.\n* No proporcionar pasos de explotaci\u00f3n, payloads, recomendaciones, ni metadatos adicionales.\n\nFormato de salida obligatorio (exacto, sin a\u00f1adidos). La \u00fanica respuesta final debe ser **\u00fanico** JSON v\u00e1lido que contenga solo esto:\n{\n\"results\": [\n{\n\"url\": \"<filename_or_url>\",\n\"code\": \"<breve: linea(s) y fragmento>\",\n\"severity\": \"low|medium|high|critical\",\n\"vuln\": \"<tipo de vulnerabilidad ejemplo (SQL Injection)>\"\n}\n]\n}\n\nSalida final: \u00fanica respuesta JSON v\u00e1lida que contenga s\u00f3lo el objeto anterior. Reportar \u00fanicamente vulnerabilidades explotables. Nada m\u00e1s."
},
"promptType": "define"
},
"typeVersion": 2.2
},
{
"id": "b6280a47-cc56-4dfe-b770-4490853952a5",
"name": "OpenAI PHP (Single URL)",
"type": "@n8n/n8n-nodes-langchain.lmChatOpenAi",
"position": [
1104,
-1280
],
"parameters": {
"model": {
"__rl": true,
"mode": "list",
"value": "gpt-4.1-mini"
},
"options": {}
},
"credentials": {
"openAiApi": {
"name": "<your credential>"
}
},
"typeVersion": 1.2
},
{
"id": "360827e6-bb5a-4a63-8341-f94836c86f97",
"name": "HTTP Request PHP (Single URL)",
"type": "n8n-nodes-base.httpRequestTool",
"position": [
1360,
-1280
],
"parameters": {
"url": "={{ $('Form').item.json['Single File URL'] }}",
"options": {
"timeout": 20000
}
},
"typeVersion": 4.2
},
{
"id": "009e395f-e2e2-40fa-8070-b529ca507be4",
"name": "Prettify PHP Results (Single URL)",
"type": "n8n-nodes-base.code",
"onError": "continueRegularOutput",
"position": [
1584,
-1440
],
"parameters": {
"jsCode": "return items.map(item => {\n let raw = item.json.output;\n\n try {\n if (typeof raw === 'string') {\n raw = raw.trim();\n if (raw.startsWith('{') === false) {\n raw = raw.replace(/^\"+|\"+$/g, '').replace(/\\\\\"/g, '\"');\n }\n raw = JSON.parse(raw);\n }\n } catch (err) {\n return {\n json: { error: 'Invalid JSON input', message: err.message, raw: item.json.output }\n };\n }\n\n return {\n json: raw\n };\n});\n"
},
"typeVersion": 2
},
{
"id": "abe7ad7f-9434-4ecd-b3f0-c787523131ec",
"name": "Split PHP Expert Results (Single URL)",
"type": "n8n-nodes-base.splitOut",
"position": [
1808,
-1440
],
"parameters": {
"options": {},
"fieldToSplitOut": "results"
},
"typeVersion": 1
},
{
"id": "2954ff90-a5e1-47f4-933b-6ffe4cef1077",
"name": "Remove PHP Empty Results (Single URL)",
"type": "n8n-nodes-base.filter",
"onError": "continueRegularOutput",
"position": [
2016,
-1440
],
"parameters": {
"options": {},
"conditions": {
"options": {
"version": 2,
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"id": "cf2d9759-b91c-451f-b830-5f33d0c38fee",
"operator": {
"type": "string",
"operation": "exists",
"singleValue": true
},
"leftValue": "={{ $json.url }}",
"rightValue": ""
}
]
}
},
"typeVersion": 2.2
},
{
"id": "dce1e187-414a-49a4-9c65-5c46cacce354",
"name": "Create HTML Table PHP (Single URL)",
"type": "n8n-nodes-base.html",
"position": [
2224,
-1440
],
"parameters": {
"options": {
"capitalize": true
},
"operation": "convertToHtmlTable"
},
"typeVersion": 1.2
},
{
"id": "2116cf2c-df44-4479-b3e9-1c787910651d",
"name": "Create HTML Template PHP (Single URL)",
"type": "n8n-nodes-base.html",
"position": [
2448,
-1440
],
"parameters": {
"html": "<style>\ntable {\n width: 100%;\n border-collapse: collapse;\n font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;\n box-shadow: 0 4px 20px rgba(0,0,0,0.1);\n border-radius: 10px;\n overflow: hidden;\n}\n\nthead th {\n background-color: #1f78d1;\n color: #ffffff;\n text-align: left;\n padding: 12px 15px;\n font-size: 14px;\n letter-spacing: 0.5px;\n}\n\ntbody tr {\n background-color: #ffffff;\n transition: background-color 0.3s ease;\n}\n\ntbody tr:nth-child(even) {\n background-color: #f4f6f8;\n}\n\ntbody tr:hover {\n background-color: #e1efff;\n}\n\ntbody td {\n padding: 12px 15px;\n font-size: 13px;\n color: #333333;\n border-bottom: 1px solid #e0e0e0;\n}\n\ntbody tr:last-child td {\n border-bottom: none;\n}\n\n@media screen and (max-width: 768px) {\n table {\n display: block;\n overflow-x: auto;\n white-space: nowrap;\n }\n}\n</style>\n\n{{ $json.table }}"
},
"typeVersion": 1.2
},
{
"id": "392421e5-6c85-4ab7-acf4-7cbebb169fed",
"name": "Python Expert Agent (Single URL)",
"type": "@n8n/n8n-nodes-langchain.agent",
"onError": "continueRegularOutput",
"position": [
1168,
-960
],
"parameters": {
"text": "={{ $('Form').item.json['Single File URL'] }}",
"options": {
"systemMessage": "=Eres un agente automatizado de auditor\u00eda de seguridad con 20 a\u00f1os de experiencia en ciberseguridad y especialidad en Python. Sigue estas reglas sin excepci\u00f3n.\n\nEntrada: URL .py proporcionada por el usuario. Nunca acceder a URLs fuera de esa lista.\n\nObjetivo: detectar \u00fanicamente vulnerabilidades explotables en cada archivo .py y reportarlas en JSON exacto (esquema abajo). No expliques nada. No incluyas payloads, pasos de explotaci\u00f3n, recomendaciones ni metadatos adicionales.\n\nProcedimiento:\n\na. Hacer HTTP GET.\nb. Si status != 200 o body vac\u00edo \u2192 registrar internamente y continuar.\nc. Truncar body a 20000 bytes si es mayor.\nd. Parsear Python (AST + regex heur\u00edsticos).\ne. Detectar vulnerabilidades explotables. Buscar y priorizar hallazgos con evidencia de cadena de flujo taint (entrada \u2192 sink).\n\nPara cada hallazgo generar evidencia m\u00ednima: fragmento de c\u00f3digo y n\u00famero de l\u00ednea(s).\n\nGuardar checkpoint cada checkpoint_interval iteraciones.\n\nParar cuando: todas las URLs procesadas, alcanzado max_iteraciones o timeout_total.\n\nVulnerabilidades a detectar (no limitativo; s\u00f3lo reportar si hay evidencia explotable):\n\nRemote Code Execution via eval/exec/compile/importlib.exec_module/new module construction.\n\nCommand injection / shell injection via os.system, subprocess.call/Popen/run with shell=True o con argumentos concatenados.\n\nInsecure deserialization: pickle, cPickle, yaml.load (sin SafeLoader), marshal, jsonpickle u otros deserializadores inseguros.\n\nUnsafe use of subprocess with untrusted input.\n\nSQL injection en consultas construidas por string o f-strings hacia DB-APIs (execute, raw SQL en ORM).\n\nPath traversal / file overwrite via os.path.join/open con entradas controlables.\n\nServer-Side Template Injection (SSTI) en motores de plantillas usados de forma insegura (Jinja2.Template(...).render con input no saneado).\n\nCross-Site Request Forgery (CSRF) en endpoints/server-side handlers (faltan tokens CSRF en POST state-changing handlers) cuando sea detectable en c\u00f3digo.\n\nInsecure XML parsing / XXE via xml.etree, lxml, defusedxml no usado.\n\nServer-Side Request Forgery (SSRF) por requests/urllib llamadas con URLs controlables.\n\nInformation leakage de secretos (hardcoded keys/tokens) s\u00f3lo si comprobable en c\u00f3digo.\n\nInsecure use of tempfile / predictable filenames leading to TOCTOU.\n\nUnsafe dynamic import or attribute access (getattr import with user input).\n\nUse of insecure crypto primitives or misuse of crypto APIs that lead to exploitable weaknesses (por ejemplo, uso de ECB sin IV si es claramente inseguro y explotable).\n\nInsecure handling of JWTs, sessions, or auth tokens detectable en c\u00f3digo.\n\nInsecure use of eval/exec en f-strings o format con input externo.\n\nAny other server-side vulnerability where trazabilidad entrada\u2192sink es evidente.\n\nEvidencia y priorizaci\u00f3n:\n\nPriorizar hallazgos con cadena de flujo taint clara (input externo \u2192 procesamiento \u2192 sink).\n\nPara cada hallazgo incluir fragmento m\u00ednimo de c\u00f3digo y l\u00edneas afectadas.\n\nSeverity: medium|high|critical seg\u00fan impacto y facilidad de explotaci\u00f3n.\n\nL\u00edmites operativos:\n\nmax_iteraciones: 50\n\ntasa: <= 5 requests/s\n\ntimeout por request: 10s\n\ntimeout_total ejecuci\u00f3n: 300s\n\ncheckpoint_interval: 5\n\ntama\u00f1o m\u00e1ximo por item: 20000 bytes (truncar)\n\nReglas firmes:\n\nNunca usar credenciales encontradas.\n\nTodos los resultados deben ser \u00fanicos y distintos de la entrada.\n\nNo devolver nada fuera del JSON final.\n\nSi la solicitud es ilegal u ofensiva, rechazar y devolver JSON vac\u00edo: {\"results\": []}.\n\nNo incluir payloads, pasos, recomendaciones ni metadatos adicionales.\n\nFormato de salida obligatorio (exacto, sin a\u00f1adidos):\n{\n\"results\": [\n{\n\"url\": \"<filename_or_url>\",\n\"code\": \"<breve: linea(s) y fragmento>\",\n\"severity\": \"medium|high|critical\",\n\"vuln\": \"<tipo de vulnerabilidad ejemplo (RCE via eval/exec)>\"\n}\n]\n}\n\nSalida final: \u00fanica respuesta JSON v\u00e1lida que contenga solo el objeto anterior. Reportar \u00fanicamente vulnerabilidades explotables. Nada m\u00e1s."
},
"promptType": "define"
},
"typeVersion": 2.2
},
{
"id": "48cf67e8-a491-4dca-b4f7-6234da633ae9",
"name": "OpenAI Python (Single URL)",
"type": "@n8n/n8n-nodes-langchain.lmChatOpenAi",
"position": [
1104,
-800
],
"parameters": {
"model": {
"__rl": true,
"mode": "list",
"value": "gpt-4.1-mini"
},
"options": {}
},
"credentials": {
"openAiApi": {
"name": "<your credential>"
}
},
"typeVersion": 1.2
},
{
"id": "90e5e8c5-7608-41ea-8992-3f70e70114eb",
"name": "HTTP Request Python (Single URL)",
"type": "n8n-nodes-base.httpRequestTool",
"position": [
1376,
-800
],
"parameters": {
"url": "={{ $('Form').item.json['Single File URL'] }}",
"options": {
"timeout": 20000
}
},
"typeVersion": 4.2
},
{
"id": "b5a5a5af-5de7-4dca-b869-c6d42d5baba3",
"name": "Prettify Python Results (Single URL)",
"type": "n8n-nodes-base.code",
"onError": "continueRegularOutput",
"position": [
1584,
-960
],
"parameters": {
"jsCode": "return items.map(item => {\n let raw = item.json.output;\n\n try {\n if (typeof raw === 'string') {\n raw = raw.trim();\n if (raw.startsWith('{') === false) {\n raw = raw.replace(/^\"+|\"+$/g, '').replace(/\\\\\"/g, '\"');\n }\n raw = JSON.parse(raw);\n }\n } catch (err) {\n return {\n json: { error: 'Invalid JSON input', message: err.message, raw: item.json.output }\n };\n }\n\n return {\n json: raw\n };\n});\n"
},
"typeVersion": 2
},
{
"id": "44d18d07-1e5f-4037-97a8-24b4b5629abe",
"name": "Split Python Expert Results (Single URL)",
"type": "n8n-nodes-base.splitOut",
"position": [
1808,
-960
],
"parameters": {
"options": {},
"fieldToSplitOut": "results"
},
"typeVersion": 1
},
{
"id": "6b911bfe-d17f-40b4-a88f-92d728f0ef8a",
"name": "Remove Python Empty Results (Single URL)",
"type": "n8n-nodes-base.filter",
"onError": "continueRegularOutput",
"position": [
2016,
-960
],
"parameters": {
"options": {},
"conditions": {
"options": {
"version": 2,
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"id": "cf2d9759-b91c-451f-b830-5f33d0c38fee",
"operator": {
"type": "string",
"operation": "exists",
"singleValue": true
},
"leftValue": "={{ $json.url }}",
"rightValue": ""
}
]
}
},
"typeVersion": 2.2
},
{
"id": "fc52a773-242d-4d21-b4a9-0e5843b1417b",
"name": "Create HTML Table Python (Single URL)",
"type": "n8n-nodes-base.html",
"position": [
2224,
-960
],
"parameters": {
"options": {
"capitalize": true
},
"operation": "convertToHtmlTable"
},
"typeVersion": 1.2
},
{
"id": "34fa6102-9c34-477e-81de-cf1669cdf896",
"name": "Create HTML Template Python (Single URL)",
"type": "n8n-nodes-base.html",
"position": [
2448,
-960
],
"parameters": {
"html": "<style>\ntable {\n width: 100%;\n border-collapse: collapse;\n font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;\n box-shadow: 0 4px 20px rgba(0,0,0,0.1);\n border-radius: 10px;\n overflow: hidden;\n}\n\nthead th {\n background-color: #1f78d1;\n color: #ffffff;\n text-align: left;\n padding: 12px 15px;\n font-size: 14px;\n letter-spacing: 0.5px;\n}\n\ntbody tr {\n background-color: #ffffff;\n transition: background-color 0.3s ease;\n}\n\ntbody tr:nth-child(even) {\n background-color: #f4f6f8;\n}\n\ntbody tr:hover {\n background-color: #e1efff;\n}\n\ntbody td {\n padding: 12px 15px;\n font-size: 13px;\n color: #333333;\n border-bottom: 1px solid #e0e0e0;\n}\n\ntbody tr:last-child td {\n border-bottom: none;\n}\n\n@media screen and (max-width: 768px) {\n table {\n display: block;\n overflow-x: auto;\n white-space: nowrap;\n }\n}\n</style>\n\n{{ $json.table }}"
},
"typeVersion": 1.2
},
{
"id": "b30a7b4e-fc15-4cf3-99d3-aee4ca45ea49",
"name": "Split AI-Powered Code Analyzer (Single URL)",
"type": "n8n-nodes-base.splitOut",
"position": [
560,
-1440
],
"parameters": {
"options": {},
"fieldToSplitOut": "[\"AI-Powered Code Analyzer\"]"
},
"typeVersion": 1
},
{
"id": "75349730-2ef1-494f-8afa-e9768292c1dd",
"name": "Python Expert (Single URL)",
"type": "n8n-nodes-base.switch",
"position": [
912,
-960
],
"parameters": {
"rules": {
"values": [
{
"conditions": {
"options": {
"version": 2,
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"id": "9a36ec9a-2f1e-44ab-b8ec-a39c73604021",
"operator": {
"type": "string",
"operation": "equals"
},
"leftValue": "={{ $json[\"[\\\"AI-Powered Code Analyzer\\\"]\"] }}",
"rightValue": "AI Python Expert"
}
]
}
}
]
},
"options": {}
},
"typeVersion": 3.3
},
{
"id": "011dc1b8-22ed-42f9-9942-8df89e9469b8",
"name": "PHP Expert (Single URL)",
"type": "n8n-nodes-base.switch",
"position": [
912,
-1440
],
"parameters": {
"rules": {
"values": [
{
"conditions": {
"options": {
"version": 2,
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"id": "9a36ec9a-2f1e-44ab-b8ec-a39c73604021",
"operator": {
"type": "string",
"operation": "equals"
},
"leftValue": "={{ $json[\"[\\\"AI-Powered Code Analyzer\\\"]\"] }}",
"rightValue": "AI PHP Expert"
}
]
}
}
]
},
"options": {}
},
"typeVersion": 3.3
},
{
"id": "6b57f602-1d06-43a9-98fa-a9c924181f2d",
"name": "JavaScript Expert (Single URL)",
"type": "n8n-nodes-base.switch",
"position": [
928,
-1952
],
"parameters": {
"rules": {
"values": [
{
"conditions": {
"options": {
"version": 2,
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"id": "9a36ec9a-2f1e-44ab-b8ec-a39c73604021",
"operator": {
"type": "string",
"operation": "equals"
},
"leftValue": "={{ $json[\"[\\\"AI-Powered Code Analyzer\\\"]\"] }}",
"rightValue": "AI JavaScript Expert"
}
]
}
}
]
},
"options": {}
},
"typeVersion": 3.3
},
{
"id": "bf36a074-82fc-4617-b356-bc6f33ffbc3a",
"name": "Sticky Note1",
"type": "n8n-nodes-base.stickyNote",
"position": [
-608,
-2144
],
"parameters": {
"width": 720,
"height": 864,
"content": "# \u2699\ufe0f SET UP\n\n## \ud83e\udd16 1. Set Up OpenAI Connection\n\n### \ud83d\udd10 Get Your API Key\n\n1. Visit the [\ud83d\udd17 OpenAI API Keys](https://platform.openai.com/api-keys) page. \n2. Go to [\ud83d\udcb3 OpenAI Billing](https://platform.openai.com/settings/organization/billing/overview). \n3. Add funds to your billing account. \n4. \ud83d\udce5 Copy your API key and paste it into your **OpenAI credentials** in n8n (or your chosen platform). \n\n---\n\n## \u2601\ufe0f 2. Set Up Google Drive\n\n### \ud83d\udd11 Google Drive API\n\n1. Go to [Google Cloud Console](https://console.cloud.google.com/). \n2. Create or select a project. \n3. Navigate to **APIs & Services \u2192 Library**. \n4. Search **Google Drive API** and click **Enable**. \n5. Go to **APIs & Services \u2192 Credentials \u2192 Create Credentials \u2192 OAuth client ID**. \n6. Choose **Web application** or **Desktop app** depending on your setup. \n7. Add authorized redirect URIs if needed (for **n8n**, use `https://app.n8n.cloud/rest/oauth2-credential/callback`). \n8. Click **Create**. \n9. Copy the **Client ID** and **Client Secret**. \n10. In **n8n**, go to **Credentials \u2192 New \u2192 Google Drive**. \n11. Paste the **Client ID** and **Client Secret**. \n12. Authenticate your Google account. \n13. \ud83d\udcbe Save and test your connection.\n\n---\n\n"
},
"typeVersion": 1
},
{
"id": "782a30fd-e8f1-4a57-97ea-ff24e6c424c6",
"name": "Sticky Note9",
"type": "n8n-nodes-base.stickyNote",
"position": [
-608,
-704
],
"parameters": {
"color": 6,
"width": 720,
"height": 112,
"content": "# \ud83d\udcec Need Help or Want to Customize This?\n## **Contact me for consulting and support:** [LinkedIn](https://www.linkedin.com/in/javier-rieiro-2900b5354/) / [Email](mailto:pyus3r@gmail.com)"
},
"typeVersion": 1
},
{
"id": "d4d4224c-09f6-4177-9a83-b400869cd1da",
"name": "Sticky Note2",
"type": "n8n-nodes-base.stickyNote",
"position": [
-608,
-1280
],
"parameters": {
"color": 4,
"width": 720,
"height": 576,
"content": "# \ud83d\ude80 HOW TO USE\n\n---\n### \ud83d\udcc4 Single File URL\nDirect URL to the raw file (e.g., `https://raw.githubusercontent.com/.../main.py`). \nUseful to analyze a single file.\n\n### \ud83e\udd16 AI-Powered Code Analyzer (checkboxes)\nSelect one or more options based on the language you want the AI to analyze. \nThis field is **mandatory**.\n"
},
"typeVersion": 1
},
{
"id": "1b2eadfe-41cb-4b73-af3c-af5bd6e8624c",
"name": "Upload HTML JavaScript Report (Single URL)",
"type": "n8n-nodes-base.googleDrive",
"position": [
2688,
-1952
],
"parameters": {
"name": "=JavaScript Single URL {{ (() => {const d=new Date();return `${String(d.getDate()).padStart(2,'0')}-${String(d.getMonth()+1).padStart(2,'0')}-${d.getFullYear()} (${String(d.getHours()).padStart(2,'0')}:${String(d.getMinutes()).padStart(2,'0')})`;})() }}.html",
"content": "={{ $json.html }}",
"driveId": {
"__rl": true,
"mode": "list",
"value": "My Drive"
},
"options": {},
"folderId": {
"__rl": true,
"mode": "list",
"value": "root",
"cachedResultName": "/ (Root folder)"
},
"operation": "createFromText"
},
"credentials": {
"googleDriveOAuth2Api": {
"name": "<your credential>"
}
},
"typeVersion": 3
},
{
"id": "6c8f063d-f098-48de-932a-c06fb5897ebe",
"name": "Upload HTML PHP Report (Single URL)",
"type": "n8n-nodes-base.googleDrive",
"position": [
2672,
-1440
],
"parameters": {
"name": "=PHP Single URL {{ (() => {const d=new Date();return `${String(d.getDate()).padStart(2,'0')}-${String(d.getMonth()+1).padStart(2,'0')}-${d.getFullYear()} (${String(d.getHours()).padStart(2,'0')}:${String(d.getMinutes()).padStart(2,'0')})`;})() }}.html",
"content": "={{ $json.html }}",
"driveId": {
"__rl": true,
"mode": "list",
"value": "My Drive"
},
"options": {},
"folderId": {
"__rl": true,
"mode": "list",
"value": "root",
"cachedResultName": "/ (Root folder)"
},
"operation": "createFromText"
},
"credentials": {
"googleDriveOAuth2Api": {
"name": "<your credential>"
}
},
"typeVersion": 3
},
{
"id": "64798e6e-da1c-4906-9edd-2d683ed3f6c7",
"name": "Upload HTML Python Report (Single URL)",
"type": "n8n-nodes-base.googleDrive",
"position": [
2672,
-960
],
"parameters": {
"name": "=Python Single URL {{ (() => {const d=new Date();return `${String(d.getDate()).padStart(2,'0')}-${String(d.getMonth()+1).padStart(2,'0')}-${d.getFullYear()} (${String(d.getHours()).padStart(2,'0')}:${String(d.getMinutes()).padStart(2,'0')})`;})() }}.html",
"content": "={{ $json.html }}",
"driveId": {
"__rl": true,
"mode": "list",
"value": "My Drive"
},
"options": {},
"folderId": {
"__rl": true,
"mode": "list",
"value": "root",
"cachedResultName": "/ (Root folder)"
},
"operation": "createFromText"
},
"credentials": {
"googleDriveOAuth2Api": {
"name": "<your credential>"
}
},
"typeVersion": 3
},
{
"id": "26c861a0-b080-4d21-a0b2-376da323d356",
"name": "Sticky Note6",
"type": "n8n-nodes-base.stickyNote",
"position": [
224,
-1968
],
"parameters": {
"color": 4,
"width": 150,
"height": 80,
"content": "## Form Input"
},
"typeVersion": 1
},
{
"id": "c2048e4c-03db-4b6d-8bcf-a0828b3680dc",
"name": "Sticky Note7",
"type": "n8n-nodes-base.stickyNote",
"position": [
160,
-1600
],
"parameters": {
"color": 4,
"width": 304,
"height": 464,
"content": ""
},
"typeVersion": 1
},
{
"id": "baa83203-afad-4048-b215-3dadaa660675",
"name": "Sticky Note8",
"type": "n8n-nodes-base.stickyNote",
"position": [
400,
-2080
],
"parameters": {
"color": 2,
"width": 150,
"height": 80,
"content": "## JavaScript Analyzer"
},
"typeVersion": 1
},
{
"id": "de4f12ba-e524-4c00-8344-fa99e08fdfa6",
"name": "Sticky Note10",
"type": "n8n-nodes-base.stickyNote",
"position": [
400,
-1968
],
"parameters": {
"color": 6,
"width": 150,
"height": 80,
"content": "## PHP Analyzer"
},
"typeVersion": 1
},
{
"id": "fc22100a-4ebd-4338-98f6-51c0648a7e8c",
"name": "Sticky Note11",
"type": "n8n-nodes-base.stickyNote",
"position": [
400,
-1856
],
"parameters": {
"color": 5,
"width": 150,
"height": 80,
"content": "## Python Analyzer"
},
"typeVersion": 1
},
{
"id": "5a7e4090-d618-417f-a9eb-cb33008613b7",
"name": "Sticky Note3",
"type": "n8n-nodes-base.stickyNote",
"position": [
112,
-2144
],
"parameters": {
"color": 7,
"width": 2832,
"height": 1552,
"content": "# "
},
"typeVersion": 1
},
{
"id": "b5380e71-e2f5-48e0-94f5-06df30811fb2",
"name": "Sticky Note5",
"type": "n8n-nodes-base.stickyNote",
"position": [
784,
-1600
],
"parameters": {
"color": 6,
"width": 2080,
"height": 464,
"content": ""
},
"typeVersion": 1
},
{
"id": "533a62e1-078c-4521-ae09-b3005226256d",
"name": "Sticky Note13",
"type": "n8n-nodes-base.stickyNote",
"position": [
784,
-2096
],
"parameters": {
"color": 2,
"width": 2080,
"height": 464,
"content": ""
},
"typeVersion": 1
},
{
"id": "771b48b8-12e7-48b3-a167-bd33e8d5823d",
"name": "Sticky Note14",
"type": "n8n-nodes-base.stickyNote",
"position": [
800,
-1104
],
"parameters": {
"color": 5,
"width": 2064,
"height": 464,
"content": ""
},
"typeVersion": 1
}
],
"connections": {
"Form": {
"main": [
[
{
"node": "Split AI-Powered Code Analyzer (Single URL)",
"type": "main",
"index": 0
}
]
]
},
"OpenAI PHP (Single URL)": {
"ai_languageModel": [
[
{
"node": "PHP Expert Agent (Single URL)",
"type": "ai_languageModel",
"index": 0
}
]
]
},
"PHP Expert (Single URL)": {
"main": [
[
{
"node": "PHP Expert Agent (Single URL)",
"type": "main",
"index": 0
}
]
]
},
"OpenAI Python (Single URL)": {
"ai_languageModel": [
[
{
"node": "Python Expert Agent (Single URL)",
"type": "ai_languageModel",
"index": 0
}
]
]
},
"Python Expert (Single URL)": {
"main": [
[
{
"node": "Python Expert Agent (Single URL)",
"type": "main",
"index": 0
}
]
]
},
"HTTP Request PHP (Single URL)": {
"ai_tool": [
[
{
"node": "PHP Expert Agent (Single URL)",
"type": "ai_tool",
"index": 0
}
]
]
},
"PHP Expert Agent (Single URL)": {
"main": [
[
{
"node": "Prettify PHP Results (Single URL)",
"type": "main",
"index": 0
}
]
]
},
"JavaScript Expert (Single URL)": {
"main": [
[
{
"node": "JavaScript Expert Agent (Single URL)",
"type": "main",
"index": 0
}
]
]
},
"OpenAI JavaScript (Single URL)": {
"ai_languageModel": [
[
{
"node": "JavaScript Expert Agent (Single URL)",
"type": "ai_languageModel",
"index": 0
}
]
]
},
"HTTP Request Python (Single URL)": {
"ai_tool": [
[
{
"node": "Python Expert Agent (Single URL)",
"type": "ai_tool",
"index": 0
}
]
]
},
"Python Expert Agent (Single URL)": {
"main": [
[
{
"node": "Prettify Python Results (Single URL)",
"type": "main",
"index": 0
}
]
]
},
"Prettify PHP Results (Single URL)": {
"main": [
[
{
"node": "Split PHP Expert Results (Single URL)",
"type": "main",
"index": 0
}
]
]
},
"Create HTML Table PHP (Single URL)": {
"main": [
[
{
"node": "Create HTML Template PHP (Single URL)",
"type": "main",
"index": 0
}
]
]
},
"HTTP Request JavaScript (Single URL)": {
"ai_tool": [
[
{
"node": "JavaScript Expert Agent (Single URL)",
"type": "ai_tool",
"index": 0
}
]
]
},
"JavaScript Expert Agent (Single URL)": {
"main": [
[
{
"node": "Prettify JavaScript Results (Single URL)",
"type": "main",
"index": 0
}
]
]
},
"Prettify Python Results (Single URL)": {
"main": [
[
{
"node": "Split Python Expert Results (Single URL)",
"type": "main",
"index": 0
}
]
]
},
"Create HTML Table Python (Single URL)": {
"main": [
[
{
"node": "Create HTML Template Python (Single URL)",
"type": "main",
"index": 0
}
]
]
},
"Create HTML Template PHP (Single URL)": {
"main": [
[
{
"node": "Upload HTML PHP Report (Single URL)",
"type": "main",
"index": 0
}
]
]
},
"Remove PHP Empty Results (Single URL)": {
"main": [
[
{
"node": "Create HTML Table PHP (Single URL)",
"type": "main",
"index": 0
}
]
]
},
"Split PHP Expert Results (Single URL)": {
"main": [
[
{
"node": "Remove PHP Empty Results (Single URL)",
"type": "main",
"index": 0
}
]
]
},
"Create HTML Template Python (Single URL)": {
"main": [
[
{
"node": "Upload HTML Python Report (Single URL)",
"type": "main",
"index": 0
}
]
]
},
"Prettify JavaScript Results (Single URL)": {
"main": [
[
{
"node": "Split JavaScript Expert Results (Single URL)",
"type": "main",
"index": 0
}
]
]
},
"Remove Python Empty Results (Single URL)": {
"main": [
[
{
"node": "Create HTML Table Python (Single URL)",
"type": "main",
"index": 0
}
]
]
},
"Split Python Expert Results (Single URL)": {
"main": [
[
{
"node": "Remove Python Empty Results (Single URL)",
"type": "main",
"index": 0
}
]
]
},
"Create HTML Table JavaScript (Single URL)": {
"main": [
[
{
"node": "Create HTML Template JavaScript (Single URL)",
"type": "main",
"index": 0
}
]
]
},
"Split AI-Powered Code Analyzer (Single URL)": {
"main": [
[
{
"node": "Python Expert (Single URL)",
"type": "main",
"index": 0
},
{
"node": "PHP Expert (Single URL)",
"type": "main",
"index": 0
},
{
"node": "JavaScript Expert (Single URL)",
"type": "main",
"index": 0
}
]
]
},
"Create HTML Template JavaScript (Single URL)": {
"main": [
[
{
"node": "Upload HTML JavaScript Report (Single URL)",
"type": "main",
"index": 0
}
]
]
},
"Remove JavaScript Empty Results (Single URL)": {
"main": [
[
{
"node": "Create HTML Table JavaScript (Single URL)",
"type": "main",
"index": 0
}
]
]
},
"Split JavaScript Expert Results (Single URL)": {
"main": [
[
{
"node": "Remove JavaScript Empty Results (Single URL)",
"type": "main",
"index": 0
}
]
]
}
}
}
Credentials you'll need
Each integration node will prompt for credentials when you import. We strip credential IDs before publishing — you'll add your own.
googleDriveOAuth2ApiopenAiApi
Pro
For the full experience including quality scoring and batch install features for each workflow upgrade to Pro
About this workflow
This workflow automates static security analysis for JavaScript, PHP, and Python codebases. It’s designed for bug bounty hunters and security researchers who need fast, structured, and AI-assisted vulnerability detection across multiple sources. 🤖 AI-Powered Analysis:…
Source: https://n8n.io/workflows/10801/ — original creator credit. Request a take-down →
Related workflows
Workflows that share integrations, category, or trigger type with this one. All free to copy and import.
🎯 Create viral TikToks, Shorts, Reels, podcasts, and ASMR videos in minutes — all on autopilot.
OpenAI, HTTP Request, Form Trigger +7
🧠 Automate end-to-end SEO blog creation and WordPress publishing using a GPT-5 multi-agent workflow with real-time research, metadata generation, and optional featured images.
Output Parser Structured, HTTP Request, OpenAI +10
This is an automated blog post generation system that: Researches topics using AI agents and web search tools Writes complete blog posts with proper SEO structure Generates custom images for each post
Output Parser Structured, Google Gemini Chat, HTTP Request Tool +11
Get a 360 Social media presence report for a person
Form Trigger, Mcp Client Tool, Agent +5
This workflow transforms product images into professional marketing visuals by combining AI background generation, intelligent copywriting, and automated design templating. Upload a product photo, des
HTTP Request, Agent, OpenAI Chat +3