langgraph-agents
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (LOW): The MCP integration reference (reference/mcp-integration.md) provides examples of using
npx -yto download and execute tool servers from the@anthropicorganization. Per the [TRUST-SCOPE-RULE], because Anthropic is a trusted organization, this remote download pattern is classified as LOW. - [COMMAND_EXECUTION] (LOW): The 'Deep Agents' framework documentation (reference/deep-agents.md) lists an
execute_commandtool as a built-in capability. While described as 'sandboxed', this functionality allows agents to run shell commands, which is a high-privilege operation associated with the skill's intended purpose for technical automation. - [REMOTE_CODE_EXECUTION] (LOW): The Model Context Protocol (MCP) integration (reference/mcp-integration.md) allows agents to dynamically load and execute tools from remote servers or local processes (stdio). This provides a flexible but broad execution surface.
- [PROMPT_INJECTION] (LOW): The skill is designed to build agents that ingest untrusted data, creating an Indirect Prompt Injection surface.
- Ingestion points:
web_searchoutput,read_filecontent, and external MCP tool responses (e.g., GitHub, Postgres). - Boundary markers: The skill includes robust mitigation patterns, such as declarative interrupts (
interrupt_on) for human-in-the-loop approvals andFilesystemMiddlewarefor path/extension whitelisting. - Capability inventory: Agents have access to
execute_command,write_file, andskill_invoketools across multiple files. - Sanitization: The documentation relies on architectural constraints and human review rather than explicit input sanitization.
Audit Metadata