Skip to Content
FrameworksFlowise

Flowise

Static analysis for Flowise chatflow exports to detect agent loops, connection cycles, and credential exposure.

Quick Start

# Export chatflow from Flowise UI, then scan
inkog scan ./chatflows

What Inkog Detects

FindingSeverityDescription
Agent LoopCRITICALAgentExecutor without maxIterations
Connection CycleHIGHCircular node connections
Credential LeakCRITICALAPI keys in exported JSON
Unsafe ToolCRITICALCustom tools with shell access
Memory OverflowHIGHMemory nodes without limits

AgentExecutor Loops

AgentExecutor nodes without iteration limits run forever.

Vulnerable
No maxIterations - agent loops forever
{
"nodes": [
  {
    "id": "agentExecutor_0",
    "type": "customNode",
    "data": {
      "category": "Agents",
      "name": "agentExecutor",
      "inputs": {
        "model": "",
        "tools": []
      }
    }
  }
]
}
Secure
Explicit iteration limit
{
"nodes": [
  {
    "id": "agentExecutor_0",
    "type": "customNode",
    "data": {
      "category": "Agents",
      "name": "agentExecutor",
      "inputs": {
        "model": "",
        "tools": [],
        "maxIterations": "10",
        "returnIntermediateSteps": "false"
      }
    }
  }
]
}

Connection Cycles

Circular connections between nodes cause infinite loops.

Vulnerable
Output feeds back to LLM - infinite loop
{
"nodes": [
  {"id": "llm_0", "data": {"name": "chatOpenAI"}},
  {"id": "chain_0", "data": {"name": "llmChain"}},
  {"id": "output_0", "data": {"name": "outputParser"}}
],
"edges": [
  {"source": "llm_0", "target": "chain_0"},
  {"source": "chain_0", "target": "output_0"},
  {"source": "output_0", "target": "llm_0"}
]
}
Secure
Linear flow without cycles
{
"nodes": [
  {"id": "llm_0", "data": {"name": "chatOpenAI"}},
  {"id": "chain_0", "data": {"name": "llmChain"}},
  {"id": "output_0", "data": {"name": "outputParser"}}
],
"edges": [
  {"source": "llm_0", "target": "chain_0"},
  {"source": "chain_0", "target": "output_0"}
]
}

API Key Exposure

Exported chatflows can contain plaintext credentials.

Vulnerable
API key hardcoded in node
{
"nodes": [
  {
    "id": "chatOpenAI_0",
    "data": {
      "name": "chatOpenAI",
      "inputs": {
        "openAIApiKey": "sk-abc123...",
        "modelName": "gpt-4"
      }
    }
  }
]
}
Secure
Credential reference from Flowise store
{
"nodes": [
  {
    "id": "chatOpenAI_0",
    "data": {
      "name": "chatOpenAI",
      "inputs": {
        "modelName": "gpt-4"
      },
      "credential": {
        "openAIApi": {
          "id": "credential_id",
          "name": "OpenAI Production"
        }
      }
    }
  }
]
}

Unsafe Custom Tools

Custom tool nodes with code execution are dangerous.

Vulnerable
Shell command execution
{
"nodes": [
  {
    "id": "customTool_0",
    "data": {
      "name": "customTool",
      "inputs": {
        "toolName": "shell",
        "toolDesc": "Run shell commands",
        "toolFunc": "const { execSync } = require('child_process'); return execSync(input);"
      }
    }
  }
]
}
Secure
Restricted to safe math operations
{
"nodes": [
  {
    "id": "customTool_0",
    "data": {
      "name": "customTool",
      "inputs": {
        "toolName": "calculator",
        "toolDesc": "Perform safe math calculations",
        "toolFunc": "const allowed = /^[0-9+\-*/().\s]+$/; if (!allowed.test(input)) return 'Invalid'; return eval(input);"
      }
    }
  }
]
}

Memory Without Limits

Memory nodes accumulating messages indefinitely.

Vulnerable
Unbounded buffer memory
{
"nodes": [
  {
    "id": "bufferMemory_0",
    "data": {
      "name": "bufferMemory",
      "inputs": {}
    }
  }
]
}
Secure
Window memory with k=10 limit
{
"nodes": [
  {
    "id": "bufferWindowMemory_0",
    "data": {
      "name": "bufferWindowMemory",
      "inputs": {
        "k": "10"
      }
    }
  }
]
}

How to Export Chatflows

To scan Flowise chatflows:

  1. From UI: Chatflow menu → Export
  2. Via API:
# List chatflows
curl -X GET "http://localhost:3000/api/v1/chatflows"
 
# Export specific chatflow
curl -X GET "http://localhost:3000/api/v1/chatflows/{id}" \
  -o chatflow.json

Then scan:

inkog scan ./chatflow.json

Document Loaders

Document loaders can access sensitive files.

Vulnerable
User controls file path - path traversal
{
"nodes": [
  {
    "id": "docLoader_0",
    "data": {
      "name": "textFile",
      "inputs": {
        "filePath": "={{$input}}"
      }
    }
  }
]
}
Secure
Fixed path to approved directory
{
"nodes": [
  {
    "id": "docLoader_0",
    "data": {
      "name": "textFile",
      "inputs": {
        "filePath": "./data/approved/"
      }
    }
  }
]
}

Best Practices

  1. Set maxIterations on all Agent nodes (recommended: 5-15)
  2. Use Flowise credential store - never hardcode keys
  3. Avoid Custom Tool nodes with require() or exec()
  4. Use Buffer Window Memory with k limit
  5. Check for cycles before deploying
  6. Review exports before sharing

CLI Examples

# Scan chatflow exports
inkog scan ./chatflows
 
# Check for credential exposure
inkog scan . -severity critical
 
# HTML report
inkog scan . -output html > report.html
Last updated on
n8nLangflow