langgraph
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION] (CRITICAL): The 'Basic Agent Graph' pattern includes a
calculatortool that executeseval(expression). Because this tool is intended to be called by an LLM processing untrusted user input, it allows an attacker to execute arbitrary Python code and system commands (e.g., using__import__('os').system()) through the agent. - [COMMAND_EXECUTION] (CRITICAL): The use of
eval()on raw strings provided by the agent's reasoning loop is a high-risk capability that provides full shell access to the execution environment. - [EXTERNAL_DOWNLOADS] (LOW): The skill references the
langgraphpackage. While the package itself is a standard industry tool, the example code uses it to build vulnerable execution patterns. Per [TRUST-SCOPE-RULE], the dependency itself is LOW risk, but the implementation logic remains CRITICAL. - [INDIRECT_PROMPT_INJECTION] (HIGH): The skill demonstrates an architecture that ingests untrusted user messages and passes them to high-privilege tools (
eval) without any sanitization or boundary markers to prevent the LLM from being coerced into executing malicious payloads.
Recommendations
- AI detected serious security threats
Audit Metadata