langchain-retrieval
Fail
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill directs users to clone a repository from an unverified source (
https://github.com/Eng0AI/langchain-retrieval.git). This source is not on the trusted organizations or repositories list, making it a potential vector for malicious code delivery. - [REMOTE_CODE_EXECUTION] (HIGH): After cloning, the instructions proceed to run
pnpm installandpnpm build. Since these commands run on code from an untrusted external source, an attacker could include malicious lifecycle scripts (e.g.,postinstallorprebuild) to execute arbitrary commands on the host machine. - [CREDENTIALS_UNSAFE] (HIGH): The setup process requires the user to input
SUPABASE_PRIVATE_KEY(service role key) andOPENAI_API_KEY. Providing these high-privilege secrets to code fetched from an untrusted repository creates a high risk of credential exfiltration.
Recommendations
- AI detected serious security threats
Audit Metadata