langchain
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The calculator tool example in the documentation uses the Python eval() function on a string parameter. This is a high-risk dynamic execution pattern that allows for arbitrary code execution if implemented as shown, as LLMs or malicious actors could provide executable code instead of mathematical expressions.
- [PROMPT_INJECTION]: The skill describes patterns for Retrieval-Augmented Generation (RAG) and tool-calling which introduce risks of indirect prompt injection.
- Ingestion points: External data is ingested via the search tool and FAISS retriever as shown in SKILL.md.
- Boundary markers: The provided prompt templates (e.g., rag_prompt) do not utilize delimiters or specific instructions to isolate retrieved content from the agent's core instructions.
- Capability inventory: The agent is granted access to powerful tools including Bash and Edit, which could be exploited if an injected instruction from a search result or document is processed.
- Sanitization: The code examples do not include sanitization, validation, or filtering logic for the data retrieved from external sources before it is interpolated into the LLM prompt.
Audit Metadata