langchain
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The calc tool in Example 2 uses the Python eval() function directly on the expression argument. Because this tool is intended to be used by an AI agent, a malicious actor could craft a prompt that causes the agent to pass a dangerous Python expression (e.g., using import('os').system()) to the tool, resulting in arbitrary code execution on the host system.
- [PROMPT_INJECTION]: The skill describes patterns for Retrieval-Augmented Generation (RAG) and tool-using agents that are susceptible to indirect prompt injection attacks.
- Ingestion points: The RAG pipeline pattern (Example 3) processes documents from the docs variable, which typically represents untrusted external data.
- Boundary markers: The provided ChatPromptTemplate does not use delimiters or specific instructions to treat retrieved data as untrusted content.
- Capability inventory: The skill enables agents to perform calculations via tools and retrieve information from vector databases, providing a path for injected instructions to trigger actions.
- Sanitization: There is no logic presented for sanitizing or validating retrieved document content before it is interpolated into the agent's prompt context.
Recommendations
- AI detected serious security threats
Audit Metadata