langchain-framework

Warn

Audited by Gen Agent Trust Hub on May 18, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill provides a code example for a custom CalculatorTool that uses the Python eval() function to process mathematical expressions. This pattern is vulnerable to arbitrary command execution if the input expression is not strictly sanitized and originates from an LLM or end-user.
  • [REMOTE_CODE_EXECUTION]: The skill recommends and demonstrates the use of PythonREPLTool, which is designed to execute arbitrary Python code. While a standard part of the framework, this capability requires careful sandboxing in production environments to prevent unauthorized system access.
  • [EXTERNAL_DOWNLOADS]: The skill contains several instances of remote data and resource fetching:
  • Fetches remote prompt templates using hub.pull("hwchase17/react") from the LangChain Hub registry.
  • Uses WebBaseLoader to download and process content from external websites (e.g., https://example.com).
  • Recommends installation of several external packages from standard registries (PyPI) including langchain, chromadb, and faiss-cpu.
  • [PROMPT_INJECTION]: The skill documentation establishes an attack surface for indirect prompt injection by demonstrating how to ingest untrusted data into an agent's context without implementing security boundaries.
  • Ingestion points: WebBaseLoader, DirectoryLoader, and PyPDFLoader in SKILL.md are used to pull external data into the RAG pipeline.
  • Boundary markers: Absent. The RAG prompt template directly interpolates the {context} variable without delimiters or instructions to ignore embedded commands.
  • Capability inventory: The skill provides access to high-privilege tools such as PythonREPLTool, eval(), and local file system writes via vectorstore.save_local().
  • Sanitization: No sanitization or validation logic is included in the processing examples.
  • [DATA_EXFILTRATION]: The skill integrates with LangSmith for observability, which involves sending execution traces (including prompts and outputs) to the external service at smith.langchain.com.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 18, 2026, 02:20 PM
Security Audit — agent-trust-hub — langchain-framework