langchain-framework
Warn
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides a code example for a custom
CalculatorToolthat uses the Pythoneval()function to process mathematical expressions. This pattern is vulnerable to arbitrary command execution if the input expression is not strictly sanitized and originates from an LLM or end-user. - [REMOTE_CODE_EXECUTION]: The skill recommends and demonstrates the use of
PythonREPLTool, which is designed to execute arbitrary Python code. While a standard part of the framework, this capability requires careful sandboxing in production environments to prevent unauthorized system access. - [EXTERNAL_DOWNLOADS]: The skill contains several instances of remote data and resource fetching:
- Fetches remote prompt templates using
hub.pull("hwchase17/react")from the LangChain Hub registry. - Uses
WebBaseLoaderto download and process content from external websites (e.g.,https://example.com). - Recommends installation of several external packages from standard registries (PyPI) including
langchain,chromadb, andfaiss-cpu. - [PROMPT_INJECTION]: The skill documentation establishes an attack surface for indirect prompt injection by demonstrating how to ingest untrusted data into an agent's context without implementing security boundaries.
- Ingestion points:
WebBaseLoader,DirectoryLoader, andPyPDFLoaderinSKILL.mdare used to pull external data into the RAG pipeline. - Boundary markers: Absent. The RAG prompt template directly interpolates the
{context}variable without delimiters or instructions to ignore embedded commands. - Capability inventory: The skill provides access to high-privilege tools such as
PythonREPLTool,eval(), and local file system writes viavectorstore.save_local(). - Sanitization: No sanitization or validation logic is included in the processing examples.
- [DATA_EXFILTRATION]: The skill integrates with LangSmith for observability, which involves sending execution traces (including prompts and outputs) to the external service at
smith.langchain.com.
Audit Metadata