Trust Assessment
langchain received a trust score of 57/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 0 high, 1 medium, and 2 low severity. Key findings include Network egress to untrusted endpoints, Covert behavior / concealment directives, Arbitrary Code Execution via `eval()` in `Calculator` Tool.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 68/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary Code Execution via `eval()` in `Calculator` Tool The `calculator` tool, demonstrated in the 'Agents - Tool-using reasoning' section, uses `func=lambda x: eval(x)`. This allows arbitrary Python code execution if the `x` input to the tool is controlled by an untrusted source (e.g., user input to the LLM agent). A malicious user could craft input that, when passed to this tool, executes arbitrary commands on the host system where the agent is running. The tool's description explicitly states 'Input: valid Python expression,' confirming its intent to execute code. Replace `eval(x)` with a safer, sandboxed expression evaluator or a dedicated math library that does not allow arbitrary code execution. For example, use `ast.literal_eval` for simple literals, or a library like `numexpr` for mathematical expressions. Alternatively, remove the `calculator` tool if its functionality is not strictly necessary or if a secure alternative cannot be implemented. | Static | SKILL.md:128 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 | |
| LOW | Unpinned Dependencies and `pip install -U` Usage The skill's manifest lists dependencies without specific version pinning, and the quick start guide instructs users to install packages using `pip install -U`. This practice installs the latest available versions, which can lead to supply chain risks. Future updates to these dependencies could introduce breaking changes, vulnerabilities, or even malicious code without explicit review, making the skill less reproducible and potentially vulnerable to future compromises of upstream packages. Pin all dependencies to specific versions (e.g., `langchain==0.1.0`) in the manifest and recommend specific versions in installation instructions. Regularly review and update dependency versions to incorporate security patches. | Static | SKILL.md:48 |
Scan History
Embed Code
[](https://skillshield.io/report/e15cf7c50c65142a)
Powered by SkillShield