langflow-exploit

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This package is explicitly an offensive toolkit: it automates unauthorized access (CVE-2026-33017 auto_login token retrieval, default-password login, and weak-password brute forcing), creates public flows that inject Python code to execute arbitrary shell commands (including subprocess-based command execution and a Bash reverse shell), and supports batch scanning and reporting — clearly designed to compromise systems and establish remote control/backdoors.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly sends requests to arbitrary LangFlow instances (e.g., GET /api/v1/auto_login, POST /api/v1/login, POST /api/v1/build_public_tmp/{id}/flow) and parses untrusted JSON/HTTP response bodies (access tokens and embedded command output) which are then used to decide and perform further actions (create flows, execute payloads), so third‑party content can directly influence agent behavior.