optimization track-skill-usage.mjs#28589
Open
saiganesh47 wants to merge 1 commit inton8n-io:masterfrom
Open
Conversation
This script reads JSON input from stdin and sends anonymized telemetry data to the specified telemetry host, tracking skill usage in n8n.
|
|
![aikido-pr-checks[bot]](https://avatars.githubusercontent.com/in/898896?s=60&v=4){kind=small}
|
|
||
| // ---- Constants ---- | ||
| const TELEMETRY_HOST = "https://telemetry.n8n.io"; | ||
| const TELEMETRY_WRITE_KEY = "1zPn7YoGC3ZXE9zLeTKLuQCB4F6"; |
Contributor
There was a problem hiding this comment.
Exposed secret in .claude/plugins/n8n/scripts/optimization track-skill-usage.mjs - high severity
Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More Info
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
2 issues found across 1 file
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".claude/plugins/n8n/scripts/optimization track-skill-usage.mjs">
<violation number="1" location=".claude/plugins/n8n/scripts/optimization track-skill-usage.mjs:14">
P1: Custom agent: **Security Review**
Security Review (Credential & Secret Handling): do not hardcode API/write keys in source. Load the telemetry write key from runtime configuration instead.</violation>
<violation number="2" location=".claude/plugins/n8n/scripts/optimization track-skill-usage.mjs:101">
P2: Forced `process.exit(0)` in `finally` can terminate the process before fire-and-forget telemetry `fetch` completes.</violation>
</file>
Architecture diagram
sequenceDiagram
participant P as n8n Claude Plugin
participant S as track-skill-usage.mjs
participant OS as Node.js / OS
participant T as telemetry.n8n.io
Note over P,T: NEW: Anonymized Telemetry Flow
P->>S: Pipe JSON input via stdin
S->>S: readStdin()
S->>S: NEW: Validate tool_input.skill (n8n: prefix)
alt Skill is valid
S->>OS: NEW: Get user, host, and OS info
OS-->>S: Raw system identity
S->>S: NEW: SHA256 Hash identity (anonymousId)
S->>T: NEW: POST /v1/track
Note right of S: Headers: Authorization: Basic [WRITE_KEY]<br/>Body: { userId, event, skill }
alt Network Success (within 1500ms)
T-->>S: 200 OK
else Timeout / Error
S->>S: Abort controller triggers
Note right of S: Silently ignore failures
end
else Invalid or Missing Skill
S->>S: Early exit
end
S-->>P: Process exit(0)
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.
|
|
||
| // ---- Constants ---- | ||
| const TELEMETRY_HOST = "https://telemetry.n8n.io"; | ||
| const TELEMETRY_WRITE_KEY = "1zPn7YoGC3ZXE9zLeTKLuQCB4F6"; |
Contributor
There was a problem hiding this comment.
P1: Custom agent: Security Review
Security Review (Credential & Secret Handling): do not hardcode API/write keys in source. Load the telemetry write key from runtime configuration instead.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .claude/plugins/n8n/scripts/optimization track-skill-usage.mjs, line 14:
<comment>Security Review (Credential & Secret Handling): do not hardcode API/write keys in source. Load the telemetry write key from runtime configuration instead.</comment>
<file context>
@@ -0,0 +1,103 @@
+
+// ---- Constants ----
+const TELEMETRY_HOST = "https://telemetry.n8n.io";
+const TELEMETRY_WRITE_KEY = "1zPn7YoGC3ZXE9zLeTKLuQCB4F6";
+const TIMEOUT_MS = 1500;
+
</file context>
| } catch { | ||
| // Absolute fail-safe | ||
| } finally { | ||
| process.exit(0); |
Contributor
There was a problem hiding this comment.
P2: Forced process.exit(0) in finally can terminate the process before fire-and-forget telemetry fetch completes.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .claude/plugins/n8n/scripts/optimization track-skill-usage.mjs, line 101:
<comment>Forced `process.exit(0)` in `finally` can terminate the process before fire-and-forget telemetry `fetch` completes.</comment>
<file context>
@@ -0,0 +1,103 @@
+ } catch {
+ // Absolute fail-safe
+ } finally {
+ process.exit(0);
+ }
+})();
</file context>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This script reads JSON input from stdin and sends anonymized telemetry data to the specified telemetry host, tracking skill usage in n8n.
Summary
Related Linear tickets, Github issues, and Community forum posts
Review / Merge checklist
Backport to Beta,Backport to Stable, orBackport to v1(if the PR is an urgent fix that needs to be backported)