langchain-fundamentals
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Dynamic Code Execution: The
calculatetool examples in both Python and TypeScript utilize theeval()function to process mathematical expressions. - Pattern:
return str(eval(expression))(Python) andasync ({ expression }) => String(eval(expression))(TypeScript). - Concern: The use of
eval()allows for the execution of arbitrary code based on the input string. In an agent context, where tool inputs are often generated by a language model responding to external user prompts, this pattern could lead to unintended code execution if the input is not strictly validated or the environment is not restricted. - Indirect Prompt Injection Surface: The skill describes patterns where agents process untrusted user data which is then used to parameterize tool calls.
- Ingestion points: User messages are ingested via the
agent.invokemethod (e.g.,SKILL.md). - Boundary markers: The provided examples do not use explicit delimiters or "ignore instructions" warnings in the
system_promptto separate user data from instructions. - Capability inventory: The skill provides a tool (
calculate) capable of executing code viaeval(e.g.,SKILL.md). - Sanitization: There is no evidence of sanitization or restricted parsing (e.g., using a math-specific library) for the tool inputs provided in the examples.
- Human-in-the-Loop Mitigation: The skill includes patterns for
HumanInTheLoopMiddleware, which is a recognized security best practice for managing risks associated with autonomous agents. - Pattern:
HumanInTheLoopMiddleware(interrupt_on={"dangerous_tool": True}). - Context: This demonstrates how to implement manual approval steps for sensitive operations, significantly reducing the risk of unintended tool execution.
Audit Metadata