workflow templates float around n8n's library, GitHub repos, Gumroad, and Telegram groups — almost none of them vetted before you import.
FOR n8n & MAKE.COM BUILDERS
Never import a workflow
you can't see inside.
You found a template on GitHub, bought one on Gumroad, or got one in a Discord. Paste it below and Loupe shows you — in plain English — what it does, what it'll cost per run, what it needs to work, and what it's quietly hiding.
- Reads n8n JSON & Make.com blueprints
- Finds leaked API keys, tokens & secrets
- Nothing is uploaded — ever
◉ Paste your workflow
awaiting paste…
Not sure how to get this file?
n8n: open the workflow → top-right ⋯ menu → Download (or select all nodes and copy). Paste the file's contents here.
Make.com: open the scenario → bottom ⋯ menu → Export Blueprint. Paste the downloaded JSON here.
or try a sample:
◉ Inspection report
—
Selling or sharing this workflow? Show buyers it's been inspected.
0/100
TRUST SCORE
➜ What to do now
❝ In plain English
⬡ Flow map
🛡 Safety & trust scan
✓ Will it work? — readiness checklist
⛁ Estimated cost per run
Heuristic analysis of pasted text only. Loupe never executes the workflow and never sees your live credentials. Treat results as a strong first opinion, not a security guarantee.
THE PROBLEM
The template economy ships fast and breaks quietly.
a real supply-chain attack hid in fake n8n community nodes, decrypting and exfiltrating users' OAuth tokens at runtime. "Import and pray" stopped being a joke.
exported workflows routinely leak hardcoded API keys in HTTP headers, Code nodes, and sticky notes — pasted by authors who forgot they were there.
the worst failures are the quiet ones: a template "runs green" but does the wrong thing, or needs a paid app you don't have. You find out in production.
Loupe is the missing step between “nice template!” and the import button.
HOW IT WORKS
Three seconds, zero uploads.
-
01
Paste the file
Drop in the raw n8n JSON or Make.com blueprint you were given. Loupe auto-detects which platform it came from.
-
02
Loupe reads it locally
Your browser parses the graph, maps every node to a human action, scans every string for secrets, and tallies the cost — all on this page.
-
03
You decide with eyes open
Get a trust score, a plain-English summary, a readiness checklist, and a one-click redacted copy that's safe to share or sell.
WHAT IT INSPECTS
A full bench of instruments.
Plain-English explainer
Turns a tangle of nodes into a sentence: “Watches Gmail, summarizes each email with OpenAI, logs it to Sheets, pings Slack.”
Leaked-secret detector
Regex + entropy scan for API keys, bearer tokens, JWTs, private keys, webhook secrets, and personal emails hiding in parameters & code.
Risk flags
Surfaces arbitrary-code nodes, raw HTTP calls, unauthenticated webhooks, and non-official community nodes — the usual blast radius.
Readiness checklist
Every credential, every paid app, and every external endpoint you'll need to wire up before the workflow does anything useful.
Cost estimate
Counts the operations / node executions per run so Make and Zapier-refugees can see the bill coming before they commit.
Redact & clean
One click strips the secrets and personal data and hands back a safe-to-share copy — perfect for sellers shipping clean templates.
PRIVACY BY ARCHITECTURE
Your workflow never leaves this tab.
The whole point is trust — so Loupe sends nothing to a server. There is no backend, no account, no logging. The analyzer is plain JavaScript that runs on your device. The simplest proof: turn off your wi-fi and it still works perfectly — because it never needed the internet to read your file. That's not a privacy policy you have to take on faith; it's how the thing is built.
FAQ
Reasonable questions.
Which platforms are supported?
n8n (workflow JSON) and Make.com (scenario “blueprints”) today — they're the two that ship freely-shared, pasteable files. Zapier only lets Team/Enterprise plans export JSON and exports all Zaps at once, so most shared Zaps can't be inspected; paste it if you have it and Loupe will do its best. Notion templates are duplicated pages rather than files, so they're out of scope.
Do you really not upload my workflow?
Correct. Every step — parsing, secret scanning, diagramming, redaction — happens in your browser. There's no server to send it to. Check the network tab.
Is the secret scan a security guarantee?
No. It catches the common, high-signal patterns (recognizable key formats, high-entropy strings, sensitive field names). A determined obfuscator can hide things. Treat a clean result as “no obvious red flags,” not “certified safe.”
How accurate is the cost estimate?
It's a heuristic based on counting node executions / Make operations per run. Loops, batching, and conditional branches change the real number, so Loupe shows a range and tells you what drives it.
I sell templates. Why would I use this?
Run your file through Redact & clean before you ship it so you never leak your own keys, and paste the report into your listing as proof it's transparent and dependency-honest. Trust sells.