Activepieces Agent Security Risks

Custom Workflow Agents activepieces.com Exposed Giants
AI RISK QUADRANT POSITION DEFENSE CONTROLS (4) ATTACK SURFACE (5.8) EXPOSED GIANTS FORTIFIED LEADERS HUMBLE PROVIDERS TIGHT OPERATORS
AIRQ Score
4.91
High
Attack Surface
5.8
High
Blast Radius
6.38
High
Defense Controls
4
High
About The Agent

Activepieces is an open-source workflow automation platform that exposes a built-in MCP server enabling external AI agents to invoke project flows, manage connections, and execute multi-step tasks autonomously. The same operator-scoped runtime handles community-contributed integration pieces, custom code steps in a V8 isolate, and AI agent orchestration with scheduling and subflow delegation across a wide range of connected applications and services.

About the AI Risk Quadrant

Exposed Giants occupy a quadrant where moderate attack surface combines with meaningful blast radius and minimal defense controls. Activepieces fits this profile because network egress is unrestricted by default, credentials decrypt at runtime for autonomous piece execution, and the platform documents no input guardrails or output sanitization layer — leaving operators to build their own defensive perimeter around an otherwise capable automation engine.

1 Key Risks

The most critical security risks an operator inherits when deploying this agent in its documented default configuration. The dominant risk shape is absent input guardrails paired with unrestricted network egress and runtime credential decryption, leaving operators without platform-level controls on any of the five defensive dimensions.

Key Input Risks
The MCP server accepts AI agent instructions via Streamable HTTP across thirty exposed tools with no input validation or prompt injection scanning on the documented default. An independent security audit confirms integration outputs pass into model context without sanitization, grounding the exposure in agent-specific findings. [6][2]
Key Execution Risks
Custom code steps execute inside a V8 isolate restricting filesystem and network access, but community-contributed pieces bypass this boundary and run full Node.js with decrypted credentials. The kernel-namespace sandbox mode exists as an alternative but requires privileged containers and is not the default deployment posture. [4][3]
Key Action Risks
AI agents execute autonomously via MCP with scheduling and subflow delegation; human-in-the-loop approval gates are documented as optional and not enabled by default. Credentials for connected applications decrypt at runtime for piece execution, granting autonomous actions access to OAuth tokens across hundreds of integrations without per-action confirmation. [6][12]
Key Output Risks
No output sanitization, data-loss prevention, or URL-sanitization layer is documented in the platform architecture for integration outputs or MCP tool responses. Downstream AI consumers receive unfiltered tool responses through the MCP server, and integration write payloads exit without content inspection on the default network mode. [2][5]
Key Monitoring Risks
Run-level execution logs and audit logging of access activities are documented, but anomaly detection, SIEM forwarding, and automated security alerting are not part of the platform. Security monitoring beyond access-level audit trails is entirely operator-managed infrastructure, leaving credential access patterns and egress anomalies as the operator blind spot. [7][10]

2 AIRQ Scores

The four headline scores quantify how exposed the agent is, how damaging a successful attack would be, and how much the agent’s own controls reduce that risk. The composite score reflects elevated exposure across attack surface and blast radius dimensions with near-absent platform-level defense controls on the documented default configuration.

AIRQ Metrics

Activepieces falls into the Exposed Giants quadrant where moderate attack surface intersects meaningful blast radius and minimal defense controls, creating an exposure profile that operators must address through external hardening rather than platform-native protections.

The four headline scores decompose into per-component evidence anchored on vendor documentation, security advisories, and independent audit findings rather than class-level inference.

Metric Score Comments
AIRQ Score 4.91 Composite reflects the gap between a moderately exposed automation platform and its near-absent native defense controls.
Blast Radius 6.38 / 10 Network egress and credential access drive the highest blast factors on the default UNRESTRICTED configuration.
Attack Surface 5.8 / 10 Nine of ten surfaces score at the upper-moderate band driven by MCP exposure and unrestricted external data ingestion.
Defense Controls 4 / 15 No input guardrails exist and remaining controls score at the lowest verified tier across all five dimensions.

3 Attack Surface

Attack surfaces are the entry points and interaction patterns through which adversarial input can reach the agent’s reasoning loop and steer its behavior. The dominant exposures are the MCP server accepting unfiltered AI agent instructions, unrestricted external data ingestion from connected integrations, and community-contributed pieces executing with full Node.js access outside the V8 sandbox boundary.

Attack Surface Metrics

Each bar represents how exposed the surface is to adversarial manipulation on the documented default; wider bars indicate surfaces where an attacker has more direct control over the agent reasoning path.

The table below ties each surface to its strongest agent-specific evidence drawn from vendor architecture documentation, security advisories, and independent security audit findings.

Surface Score Comments
User Input 3 / 4 The built-in MCP endpoint exposes thirty tools to external AI assistants over Streamable HTTP; an independent audit confirms that integration outputs enter model context without scanning for injection patterns or payload validation. [6][2]
External Data 3 / 4 Flows fetch external data from connected integrations without boundary enforcement on the default UNRESTRICTED network mode; outputs from external services pass into model context without injection pattern scanning or content-type validation. [2][5]
Memory 2 / 4 Flow execution state persists in PostgreSQL with project-scoped isolation; no cross-project memory injection surface is documented but state survives across runs without integrity verification or tamper detection mechanisms. [4]
Reasoning 3 / 4 Model-agnostic architecture delegates reasoning to interchangeable external LLMs via AI SDK with no constraints on model selection, reasoning-loop depth, or intermediate-step validation beyond token budget limits. [6]
Planning 3 / 4 AI agents perform autonomous multi-step task decomposition via the run_agent tool with subflows and scheduling; planning decisions execute without mandatory human review gates or bounded iteration depth. [6]
Tool Execution 3 / 4 V8 isolate restricts custom code steps to browser-like JavaScript without require or filesystem access, but community-contributed pieces execute full Node.js with decrypted credentials; approval gates are opt-in and cover only explicitly configured flow steps. [4][3]
Orchestration 3 / 4 Project flows exposed as MCP tools enable AI agent orchestration with scheduling, subflow delegation, and trigger-based activation across the full integration surface without per-invocation scope restriction. [6]
Inter-Agent 3 / 4 Tool description injection risk across the MCP server ecosystem can redirect LLM behavior platform-wide; project-scoped token authentication provides lateral isolation but tool descriptions pass through without sanitization. [2][6]
Output Processing 3 / 4 No output sanitization is documented in the platform architecture; integration outputs pass through the system without scanning for embedded injection patterns and flow to downstream AI consumers unfiltered. [2]
Configuration 3 / 4 CI/CD endpoint authentication bypass allowed unauthorized piece metadata insertion into registry sync; default network mode is UNRESTRICTED and sandbox mode selection is a deployment-time decision with no runtime override. [1][11]

The Lethal Trifecta is triggered when an agent processes untrusted content, accesses private data, and communicates externally in the same session — the three conditions that turn an isolated prompt injection into full-chain exfiltration. Activepieces exhibits all three on the documented default: a single injected instruction delivered through any connected integration can read decrypted OAuth credentials during piece execution and transmit them through unrestricted network egress without crossing any platform-level control.

Lethal Trifecta · Complete (3 of 3)

Activepieces exhibits all three of these conditions in its documented default configuration:

  • Untrusted input — External AI assistants submit instructions through the built-in MCP endpoint covering thirty tools, and connected integration outputs enter the reasoning loop without injection scanning on the documented default. [6]
  • Sensitive data — Credentials for connected applications are encrypted at rest but decrypt at runtime for piece execution, making OAuth tokens and API keys accessible in the same session that processes untrusted input. [7]
  • External egress — AP_NETWORK_MODE defaults to UNRESTRICTED allowing user code and pieces to reach any IP address including internal services, providing a clear exfiltration channel with no egress filtering active. [5]

4 Blast Radius

The blast radius is what an attacker who controls the agent can reach — which systems they touch, which credentials they read, and which actions they take without operator approval. The blast concentration is in network egress and credential access where the default UNRESTRICTED mode and runtime credential decryption create a compounding exposure that operators inherit without platform-level containment.

Blast Radius Metrics

Bar widths reflect the maximum capability available to a compromised flow on the documented default configuration without requiring the attacker to escalate beyond normal piece execution authority.

The table below decomposes what a compromised flow can reach on the default configuration — from unrestricted network egress to runtime-decrypted credentials and unbounded autonomous operations.

Factor Score Comments
Code execution 2 / 4 The V8 sandbox confines user-authored code steps to a browser-like JavaScript environment lacking require and filesystem primitives; community pieces execute in the application container rather than directly on the host operating system. [4]
File system access 2 / 4 The V8 sandbox denies filesystem access to code steps entirely; pieces operate within the container scope without documented write access to host volumes or persistent storage beyond the application database. [4]
Network access 4 / 4 AP_NETWORK_MODE defaults to UNRESTRICTED allowing user code to reach any IP address including internal services; SSRF guards and egress proxy activate only when STRICT mode is explicitly opted into by the operator. [5]
Credential access 3 / 4 Credentials encrypted at rest with 256-bit encryption but decrypt at runtime for piece execution; pieces access OAuth tokens and API keys for connected applications during flow runs without per-access audit trail beyond general access logging. [7]
Autonomous action 3 / 4 Autonomous operation proceeds through MCP tool calls with scheduling and subflow capabilities; operator approval gates are opt-in only and the default posture permits unbounded autonomous operations across all connected integrations. [6][12]
Deployment access 1 / 4 Self-hosted deployments run in operator-controlled infrastructure with no documented ability for flows or pieces to modify the platform deployment or reach container orchestration APIs. [11]

5 Defense Controls

Defense controls are what the agent’s own architecture does to detect, contain, and report attacks before they reach the operator’s systems. The platform provides no input guardrails by default and remaining controls score at the lowest documented tier, meaning operators inherit a runtime that does almost nothing to detect, contain, or report attacks before they reach external systems.

Defense Controls Metrics

Bar widths reflect the inverted defense scale where shorter bars indicate weaker controls; the pattern shows near-absent native protection across all five dimensions on the documented default.

The table below grounds each component score on vendor-published documentation; opt-in mitigations that are not active by default reappear as hardening tips that an operator can layer on top of the default posture.

Component Score Comments
Input Guardrails 0 / 3 No dedicated input validation, prompt injection scanning, or content filtering is documented in the platform architecture; MCP traffic and integration outputs reach the model without any filtering layer active on the default deployment. [6][2]
Execution Isolation 1 / 3 The isolated-vm sandbox confines user-authored code to a restricted JavaScript environment; however, community pieces operate outside this boundary in the full Node.js runtime with access to decrypted credentials during execution. [4][3]
Action Controls 1 / 3 Human-in-the-loop approval gates are documented as an opt-in flow step requiring explicit configuration; default allows autonomous execution of all MCP-exposed tools without per-action confirmation or scope restriction. [6][12][9]
Output Guardrails 1 / 3 Data masking is documented for log outputs but no DLP, redaction, or URL-sanitization layer is applied to integration outputs or MCP tool responses flowing to downstream consumers on the default configuration. [7][2]
Monitoring 1 / 3 The platform documents run-level traces and access audit trails; however, behavioral anomaly detection, SIEM forwarding, and automated threat alerting fall outside the product boundary and depend entirely on operator-provisioned external tooling. [7][10][8]

6 Hardening Tips

Concrete actions an operator can take to reduce the risks reported above, grouped by which defense control each tip strengthens. Operators should prioritize breaking the trifecta by restricting network egress to STRICT mode and deploying input validation upstream of the MCP server endpoint before addressing execution isolation and action control gaps.

Input Guardrails

Input guardrails intercept adversarial content before it reaches the reasoning loop.

Input Guardrails
  • Policy Require all MCP-connected AI agents to pass through an approved prompt injection detection service before reaching the platform endpoint — counters User Input exposure where thirty tools accept instructions without filtering.
  • Configuration Configure an input validation proxy between connected integrations and the flow engine to sanitize outputs before they enter model context — counters External Data ingestion without injection pattern scanning.
  • Engineering Implement content-type allowlisting and payload schema validation on MCP tool parameters to reject unexpected formats at the protocol level — counters Inter-Agent tool description injection risk.

Execution Isolation

Execution isolation contains what a compromised agent can do on the host.

Execution Isolation
  • Policy Mandate SANDBOX_PROCESS mode with kernel namespaces for all production deployments handling sensitive data — counters Tool Execution where community pieces run full Node.js by default.
  • Configuration Set AP_EXECUTION_MODE=SANDBOX_PROCESS in the deployment configuration to extend isolation beyond V8 code steps to include community-contributed pieces — counters the sandbox gap documented in architecture references.
  • Engineering Restrict piece execution to a vetted allowlist rather than the full community npm registry to reduce the supply chain surface — counters Configuration exposure from unvetted community contributions.

Action Controls

Action controls govern which tools and actions the agent can invoke autonomously.

Action Controls
  • Policy Require human-in-the-loop approval gates on all flows that access credentials or perform external writes — counters Autonomous action where MCP agents fire without mandatory approval by default.
  • Configuration Configure project-scoped token permissions with minimum-necessary tool exposure rather than granting access to all thirty MCP tools — counters Orchestration exposure where all project flows are callable.
  • Engineering Implement rate limiting and concurrency caps on AI agent invocations to bound the damage window from a compromised session — counters Planning exposure where agents perform unbounded task decomposition.

Output Guardrails

Output guardrails inspect what the agent sends to other systems and users.

Output Guardrails
  • Policy Deploy a data-loss prevention proxy on egress traffic to scan outbound payloads for sensitive data patterns — counters Output Processing where no DLP or redaction exists by default.
  • Configuration Configure content inspection on webhook and integration write payloads to detect exfiltration attempts in autonomous flow outputs — counters Network access at maximum where unrestricted egress provides a data channel.
  • Engineering Implement response sanitization on MCP tool outputs to strip credential material and injection patterns before returning to AI consumers — counters Inter-Agent exposure where tool responses flow unfiltered.

Monitoring

Monitoring captures what the agent did and surfaces anomalies for review.

Monitoring
  • Policy Forward platform audit logs and execution traces to a SIEM with correlation rules for anomalous credential access patterns — counters Monitoring gap where security alerting is operator-managed.
  • Configuration Configure AP_NETWORK_MODE=STRICT and enable the egress proxy logging to capture destination-level network telemetry for all piece executions — counters Network access where egress is unmonitored by default.
  • Engineering Implement runtime behavioral baselines for AI agent sessions to detect deviation from expected tool invocation patterns — counters User Input exposure where injected instructions execute without detection.

7 References

The evidence base behind every score and finding in the profile, grouped by source type so the reader can verify any claim. Numbers in brackets throughout the report (e.g. [7, 13]) refer to entries below, listed in citation order.

Selected Vulnerabilities

  1. GHSA-3w4h-jvcx-rw99 Unauthorized piece metadata insertion via CI/CD endpoint auth bypass; patched in 0.72.0.
  2. MCP tool description injection audit Security audit identifies tool description injection and missing output sanitization in MCP server ecosystem.

Selected Research

  1. Hardware-isolated microVM execution proposal Documents sandbox mode comparison and proposes QEMU microVM as fifth isolation mode.

Vendor Documentation

  1. Sandboxing architecture V8 isolated-vm for code steps; kernel-namespace mode requires privileged containers.
  2. Network security architecture AP_NETWORK_MODE defaults UNRESTRICTED; STRICT mode is opt-in with SSRF guard and egress proxy.
  3. MCP server overview Built-in MCP server exposes 30 tools with OAuth auth and project-scoped access tokens.
  4. Security and Data Practices 256-bit credential encryption, data masking in logs, audit logging of access activities.
  5. Security advisory response playbook CVE request workflow with 60-day embargo and 7-day customer disclosure lead time.
  6. GitHub security policy Coordinated disclosure with 3-business-day response SLA and sandbox for researchers.
  7. Changelog and release notes Documents AP_NETWORK_MODE=STRICT opt-in and staging-first deployment process.

Other Sources

  1. Activepieces GitHub repository Open-source TypeScript monorepo; 22K stars; 280+ community pieces published to npm.
  2. AI Agent Builder product page Autonomous AI agents with multi-step reasoning, 660+ app integrations, optional human-in-the-loop.