langgraph
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The 'calculator' tool implementation in the 'Basic Agent Graph' section uses the Python 'eval()' function on the 'expression' input.
- Evidence: 'return str(eval(expression))' in SKILL.md.
- Risk: The 'eval' function executes arbitrary strings as Python code. If an LLM is tricked via prompt injection into passing a malicious string (e.g., using 'import' to access 'os' or 'subprocess'), an attacker can execute arbitrary commands on the host system.
- [REMOTE_CODE_EXECUTION] (MEDIUM): Because the 'eval' function is triggered by LLM tool-calling which is driven by user-provided queries, this constitutes a potential remote code execution vector.
- [PROMPT_INJECTION] (LOW): The skill exhibits a surface for Indirect Prompt Injection (Category 8).
- Ingestion points: User messages ingested via 'app.invoke' in the 'Basic Agent Graph' example.
- Boundary markers: Absent. The messages are passed directly to the LLM without delimiters or instructions to ignore embedded commands.
- Capability inventory: The skill has 'eval()' execution and network access (via LLM API).
- Sanitization: None. The 'calculator' tool does not validate or sanitize the 'expression' string before evaluation.
Audit Metadata