LangChain RAG Pipeline
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [Insecure Deserialization]: The skill demonstrates loading FAISS indices using the
allow_dangerous_deserialization=Trueparameter inFAISS.load_local. This setting is necessary for loading FAISS files in the LangChain framework but utilizes thepicklemodule internally. If an index file is obtained from or replaced by an untrusted source, this could result in arbitrary code execution when the index is loaded.- [Indirect Prompt Injection Surface]: The pipeline implements a workflow for processing external data, which creates a surface for potential indirect prompt injection. - Ingestion points: Data enters the system via
WebBaseLoaderfor web content andPyPDFLoaderfor local files. - Boundary markers: The examples use basic f-string interpolation for context (e.g.,
f"Use this context:\n\n{context}") without specialized delimiters or instructions to ignore embedded commands. - Capability inventory: The skill passes the processed content directly to LLM models (
model.invoke) and incorporates it into agent tools. - Sanitization: No explicit sanitization or validation of the fetched document content is shown in the snippets.- [External Data Access]: Components like
WebBaseLoaderandCheerioWebBaseLoaderare used to fetch content from remote web addresses. This is a primary function of the skill, but users should verify that the URLs accessed are from reliable sources to prevent the ingestion of unexpected data.
Audit Metadata