langgraph-agent
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill includes a default
shelltool that useschild_process.execto execute arbitrary commands on the host system. - Evidence: Found in
langgraph-agent.jswithin thedefaultToolsobject. Theexecutefunction for theshelltool takes acommandargument and runs it viaexecAsyncwithout any command validation or restricted environment. - [DATA_EXFILTRATION]: The built-in
file_readandfile_writetools provide unrestricted access to the local filesystem, allowing the agent to read sensitive files or modify system configurations. - Evidence:
langgraph-agent.jscontains implementations forfile_read(usingfs.readFile) andfile_write(usingfs.writeFile) that do not implement path sandboxing or directory traversal protection. - [PROMPT_INJECTION]: The agent framework is vulnerable to indirect prompt injection, where malicious content from a file or command output can manipulate the agent's behavior.
- Ingestion points: Content retrieved via
file_readand stdout/stderr fromshellare appended directly to the conversation history in theAgentStatewithinlanggraph-agent.js. - Boundary markers: The skill does not use delimiters, XML tags, or system-level warnings to distinguish between tool-returned data and agent instructions.
- Capability inventory: The agent possesses high-impact capabilities including arbitrary shell execution (
shell), file reading (file_read), and file writing (file_write). - Sanitization: No sanitization, escaping, or validation is performed on the data returned by tools before it is passed back to the LLM for the next turn in the loop.
Recommendations
- AI detected serious security threats
Audit Metadata