Skills
skills/krzysztofsurdy/code-virtuoso/langchain-components/Gen Agent Trust Hub

langchain-components

Fail

Audited by Gen Agent Trust Hub on Mar 16, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill documentation describes mechanisms that enable arbitrary shell command execution.
  • references/deep-agents.md identifies an execute tool designed to run shell commands within sandbox backends.
  • references/middleware.md details the ShellToolMiddleware, specifically highlighting the HostExecutionPolicy which provides "Full host access."
  • SKILL.md explicitly includes Bash in its allowed-tools metadata, granting the agent direct terminal access.
  • [REMOTE_CODE_EXECUTION]: The reference material includes unsafe programming practices that facilitate code injection.
  • references/tools.md provides a Python code snippet for a calculator tool using the eval() function: @tool("calculator") def calc(expression: str): return str(eval(expression)). Since the expression is generated by the AI agent (and potentially influenced by user input), this pattern allows for arbitrary Python code execution.
  • [EXTERNAL_DOWNLOADS]: The skill references the installation of numerous external dependencies.
  • SKILL.md and multiple reference files (e.g., references/agents.md, references/deep-agents.md) include pip install commands for libraries such as langchain, langgraph, and deepagents. These are recognized as well-known services and trusted packages within the AI development community.
  • [DATA_EXFILTRATION]: The skill documents an extensive attack surface for indirect prompt injection through its retrieval components.
  • Ingestion points: references/retrieval.md describes the use of WebBaseLoader and PyPDFLoader to ingest data from external websites and documents into the agent's context.
  • Boundary markers: references/agents.md provides examples of ContentFilterMiddleware and PII detection to mitigate risks, though these are presented as optional configurations.
  • Capability inventory: The documentation across references/middleware.md and SKILL.md confirms that the agent may have access to Bash and other shell execution tools, which could be exploited to exfiltrate data if an attacker successfully injects malicious instructions into the ingested content.
  • Sanitization: references/middleware.md describes strategies for redacting or masking sensitive information using PIIDetectionMiddleware.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 16, 2026, 09:38 PM