Skills
skills/jeremylongshore/claude-code-plugins-plus-skills/langchain-core-workflow-b/Gen Agent Trust Hub

langchain-core-workflow-b

Warn

Audited by Gen Agent Trust Hub on Mar 23, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The calculate tool implementation in SKILL.md uses the Python eval() function to process the expression string. Since this string is generated by an LLM interpreting user instructions, it allows an attacker to craft a prompt that forces the agent to execute arbitrary code on the host system.
  • [EXTERNAL_DOWNLOADS]: The async_search example demonstrates the use of the aiohttp library to perform network requests. While intended for search functionality, this capability allows the agent to make outbound HTTP requests to arbitrary destinations, which could be used for data exfiltration.
  • [PROMPT_INJECTION]: The skill architecture is vulnerable to indirect prompt injection attacks.
  • Ingestion points: Untrusted data enters the agent context through the {input} variable and the return values of the search_web and search_tool functions in SKILL.md.
  • Boundary markers: The ChatPromptTemplate defined in Step 2 does not utilize delimiters (such as XML tags or markers) or specific instructions to treat tool outputs as untrusted data.
  • Capability inventory: The agent is granted high-risk capabilities including dynamic code execution via eval() and network access via aiohttp.
  • Sanitization: There is no evidence of validation or sanitization of data before it is passed to tools or re-evaluated by the agent loop.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 23, 2026, 02:34 AM