@Brooks M and @Nate Herk Not late to this thread — early. I’ve been raising this in here for a while now. Almost 30 years in cybersecurity, building in AI for the last stretch, and what you’re describing is real. Most agencies have built a liability surface they can’t see yet. Five things I’d add: → Classify before you connect. Know what each workflow touches before you wire it up. → Least privilege, per client, per workflow. Scoped keys, time-bound tokens, isolated environments. No shared service accounts. → Identity is the new perimeter. OAuth device code phishing is hitting M365 and Workspace tenants right now. Your agent’s permissions become the attacker’s permissions. → Log everything, or you can’t investigate anything. → The legal stack most skip: DPA per client, cyber insurance that actually covers AI workflows (check the exclusions), documented IR plan, contract clarity on data ownership and liability. On liability — most contract defaults put operator risk on whoever built and runs the system. That’s the agency. Not the client. Worth knowing before something breaks. This is the exact gap my firm Domitek was built around. We actually run a free shadow AI audit — DAUA — that helps agencies and SMBs see what their AI workflows are actually touching before something goes wrong. Happy to point anyone in the community to it, no pitch attached. More builders in this conversation, not fewer. 👊

@Brooks M Appreciate that — good to find people taking this seriously instead of treating it as someone else’s problem. The pattern I see most right now is Shadow AI inside the agency itself. Most smaller agencies can’t honestly answer: → Which AI tools their team, VAs, and contractors are using day to day → What client data has been pasted into consumer ChatGPT / Claude / Gemini accounts → Which automations are running on personal API keys vs sanctioned ones The agency is supposed to be the steward of the client’s AI strategy — but can’t see its own AI footprint. So when a client asks “where does our data go,” the honest answer is “we’re not fully sure.” Close behind it: over-permissioned OAuth grants and shared service accounts with no tenant isolation — one key, every client in the same blast radius. That shadow AI piece is exactly what DAUA.ai was built to surface — most agencies are stunned at what shows up in the first hour. What are you seeing on your end?

Congrats to all the winners... @Nate Herk in the guide, the URL for kei is incorrect its pointing to key.ai which a different site. the correct URL is https://kie.ai/ also I developed a free tool; which show what is happening on most developers' machines right now with .env files, how Node.js loads API keys into memory automatically, and the real risks of secrets getting leaked through screen output, files, network transfer, git commits, and package attacks. I'll be posting this on the paid community.

@Nate Herk I forgot to add the link to the video demonstrating how the tool works. https://www.loom.com/share/d4355147dd97452780721a65e8d486d5

Great point @Nate Herk. Claude is a great addition to n8n and if used correctly. Claude can really enhance the development of n8n workflows. I’ve created a couple MVP using both Claude and n8n which before it used to take longer. I do believe the N8N will adapt Claude.

@Tatyana Gray Etkin thanks for sharing… This is inline with the information we shared during our session, which I also mentioned in previous sessions that this is going to become an important matter to pay attention. We all need to have the appropriate legal counsel and contract in place to avoid being sued too.

@Nate Herk I know you know this, but don't forget to add the Code node to protect the Telegram triger. Here are the steps for anyone that needs to add it. 1) Create a code node after telegram triger, and enter code below if ($input.first().json.message.from.id !== YOUR_USER_ID_HERE) { return { unauthorized: true }; } else { return $input.all(); } 2) Get your User ID in telegram,. Open Telegram and in the search enter Get_ID_Bot and grab it from message and replace the YOUR_USER_ID_HERE 3) Save it and Test... Your Telegram is now secured. Cheers...

@Jeffry Milan a code node