langchain

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The content contains multiple high-risk patterns that enable arbitrary remote code execution, shell command execution, credential/execution-trace exfiltration, and dangerous deserialization (e.g., use of eval, PythonREPLTool, ShellTool, agents exposed via HTTP, LangSmith tracing sending traces to external servers, and allow_dangerous_deserialization), which are clear abuse vectors if exposed to untrusted input or users.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's RAG and agent workflows explicitly load and ingest open web content (e.g., WebBaseLoader("https://...") in SKILL.md RAG section, Web page loaders, DuckDuckGoSearchRun/Tavily search tools, and risky_api_call that requests arbitrary endpoints) and then use those retrieved documents in RetrievalQA/agent retriever tools so untrusted third-party content can directly influence agent decisions and tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The example uses WebBaseLoader("https://docs.python.org/3/tutorial/") to fetch external web content at runtime which is then loaded into the retrieval/RAG pipeline and injected into model context (directly influencing prompts/outputs), so this URL is a runtime dependency that can control agent behavior.