langchain

Warn

Audited by Gen Agent Trust Hub on Jun 29, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The documentation and examples (in SKILL.md and references/agents.md) define a 'Calculator' tool that uses the Python eval() function on input strings. This allows an agent to execute arbitrary Python code if the input string is manipulated by an attacker through indirect prompt injection or malicious data sources.
  • [COMMAND_EXECUTION]: The integration guide (references/integration.md) demonstrates the use of ShellTool and PythonREPLTool. These tools grant the agent the capability to execute arbitrary system commands and Python code within the host environment, which poses a severe risk if the agent's reasoning process is compromised.
  • [REMOTE_CODE_EXECUTION]: The FAISS vector store example in references/integration.md explicitly uses allow_dangerous_deserialization=True when loading an index from disk. This setting permits the execution of arbitrary code via Python's pickle module if the index file has been tampered with or originated from an untrusted source.
  • [EXTERNAL_DOWNLOADS]: The skill documents the installation of numerous LangChain-related packages (e.g., langchain-openai, langchain-anthropic) and demonstrates fetching content from reputable external domains such as docs.python.org and Wikipedia. These operations target well-known and established services.
  • [PROMPT_INJECTION]: The skill's architecture for Retrieval-Augmented Generation (RAG) and tool-using agents creates an attack surface for indirect prompt injection. It demonstrates ingesting untrusted data from web loaders and PDFs and passing that content directly into LLM prompts alongside powerful tools (eval, ShellTool) without recommending specific sanitization or boundary markers.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 29, 2026, 12:55 AM
Security Audit — agent-trust-hub — langchain