langgraph-tools

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). Mostly documentation and examples, but it includes a direct use of eval on untrusted input (eval(expression)) which enables remote code execution and is a critical security vulnerability; destructive operations (delete/transfer) are present but often wrapped with approval gates, and there are no clear signs of data exfiltration or credential theft.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill includes tool implementations that fetch arbitrary external web content—most clearly api_call_with_retry which calls requests.get(endpoint) (and examples like search_web/search_api.search)—and those results are returned into the agent's tool-call workflow for the model to read and interpret, exposing it to untrusted third-party content.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill prompt includes an explicit tool named transfer_funds with signature transfer_funds(from_account: str, to_account: str, amount: float) that calls execute_transfer(from_account, to_account, amount) to move money (with optional approval via interrupt for large amounts). This is a specific, money-moving function (direct transaction execution), not a generic tool, so it meets the "Direct Financial Execution" criteria.