langchain

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The content is not covert malware but contains multiple high-risk patterns (use of eval on user input, PythonREPLTool / ShellTool examples, allow_dangerous_deserialization=True, examples that send traces or data to external services and disclose API/env usage) that enable remote code execution, credential leakage, data exfiltration, or destructive operations if deployed or exposed to untrusted inputs; treat as high risk and harden before deployment.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill includes examples that load and ingest arbitrary public web content (e.g., WebBaseLoader("https://docs.python.org/3/tutorial/"), Web pages, Wikipedia tools, DuckDuckGo search and GitHub loaders) and then uses those documents in RAG/retriever/agent workflows, meaning the agent will read and act on untrusted third‑party content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly uses WebBaseLoader to fetch https://docs.python.org/3/tutorial/ at runtime (and shows Github/Web loaders) whose loaded content is injected into the RAG/vectorstore -> retriever -> prompt context, thereby directly influencing model prompts/responses.