LangChain RAG Pipeline

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md explicitly shows web document loaders (WebBaseLoader and CheerioWebBaseLoader fetching https://docs.langchain.com and arbitrary URLs) and RAG/agent examples that inject retrieved web documents into the model/agent context (context variable and search_docs tool), so untrusted public content can directly influence tool use and model actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The examples show WebBaseLoader/CheerioWebBaseLoader fetching https://docs.langchain.com at runtime and the returned documents are concatenated into the model context and injected into prompts, so this external URL can directly control agent instructions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.60). The prompt explicitly advises enabling allow_dangerous_deserialization=True (bypassing a safety check that can lead to arbitrary code execution) and persists indexes to disk, which is a security-risking bypass even though it does not request sudo, modify system services, or create users.