langgraph-agent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's defaultTools (langgraph-agent.js) include a "shell" tool that executes arbitrary shell commands and returns their output into the agent message stream, which allows fetching/ingesting untrusted public web content (e.g., via curl/wget) that the agent will read and that can influence subsequent tool calls and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The agent calls an external LLM API at runtime using LLM_BASE_URL (e.g., https://openrouter.ai/api/v1 or https://api.z.ai/api/coding/paas/v4) to obtain model responses that can include function_call instructions which the skill will honor (including invoking the built-in "shell" tool to run arbitrary commands), so the remote URL's responses directly control prompts/instructions and can cause code execution.