SkillTotal

Is guardrails-ai safe?

No malicious indicators - review capabilities before installing
Notable — review in context (capabilities are not malware):
  • Python shell/command execution
  • Python network egress
  • Python filesystem read

guardrails-ai is an AI python_package analyzed by SkillTotal's deterministic static scanner. The scan found no malicious indicators, though 4 risky constructs are reported for review. It can: filesystem read, filesystem write, network egress and shell execution — capabilities are what the code can do, not a verdict on intent. Risk score 0/100 (low).

guardrails-ai 0.10.2

python_package · pypi:guardrails-ai
LOW
0
/ 100 risk score
Snapshot · scanned Jul 7, 2026 · guardrails-ai@0.10.2 · engine 0.34.2 / ruleset 34

Automated static-analysis result. It can contain false positives and false negatives, and is not a claim about the intent of guardrails-ai's authors. Report a false positive.

Capabilities — what this component can do (not a risk score):
filesystem readfilesystem writenetwork egressshell execution

Findings (4)

HIGHPython shell/command executionST-SHELL-PY

The component can run operating-system commands or spawn processes.

result = subprocess.run(
            command,
            env=env,
            capture_output=True,  # Capture both stdout and stderr
            text=True,  # Automatically decode to strings
            check=True,  # Automatically raise e …
result = subprocess.run(
            command,
            env=env,
            capture_output=True,
            text=True,
            check=True,
        )
result = subprocess.run(
            command,
            env=env,
            capture_output=True,  # Capture both stdout and stderr
            text=True,  # Automatically decode to strings
            check=True,  # Automatically raise e …

Why it matters: Powerful and often legitimate — confirm the commands aren't built from untrusted input.

Fix: Confirm the command and its arguments are fully controlled and not derived from untrusted input; avoid shell=True.

MEDIUMPython filesystem readST-FS-PY-READ

The component reads files from disk.

with open(guardrails_rc, encoding="utf-8") as rc_file:
with open(config_template_path, "r") as file:
with open(target, "r") as validator_file:
with open(file_path, "r") as fin:
registry_str = registry_file.read_text()
registry = json.loads(registry_file.read_text())
registry = json.loads(registry_file.read_text())
with open(file_path, "r") as f:
schema = Path(schema_file).read_text()

Why it matters: Usually legitimate, but worth confirming it can't be steered into reading sensitive files.

Fix: Confirm which files are read and that paths cannot be influenced by untrusted input to reach sensitive locations.

MEDIUMPython filesystem write/deleteST-FS-PY-WRITE

The component writes or deletes files on disk.

with open(guardrails_rc, "w", encoding="utf-8") as rc_file:
with open(filepath, "wt") as fout:
with open(target, "w") as validator_file:
with open(out_path, "wt") as file_out:
with open(file_path, "r+") as file:
with open(out, "w") as f:
stub_file.write_text("\n".join(import_statements))
registry_file.write_text(json.dumps(registry, indent=2))
registry_file.write_text(json.dumps(registry, indent=2))
with open(hub_init_location, "a+") as hub_init:
with open(os.path.join(artifact_dir, f"{on_fail_type}.rail"), "w") as f:
with open(
            os.path.join(artifact_dir, f"compiled_prompt_{on_fail_type}{ext}.txt"), "w"
        ) as f:
with open(
            os.path.join(artifact_dir, f"llm_output_{on_fail_type}{ext}.txt"), "w"
        ) as f:
with open(
            os.path.join(artifact_dir, f"validated_response_{on_fail_type}{ext}.py"),
            "w",
        ) as f:

Why it matters: Usually legitimate, but worth confirming the paths can't be controlled by untrusted input.

Fix: Confirm which files are written/deleted and that paths cannot be influenced by untrusted input.

MEDIUMPython network egressST-NET-PY

The component makes outbound network requests.

from httpx import AsyncClient, Client, HTTPStatusError
self.ahttp_client = AsyncClient(
            base_url=self.base_url, headers=headers, timeout=self.timeout
        )
self.http_client = Client(
            base_url=self.base_url, headers=headers, timeout=self.timeout
        )
req = requests.get(url, headers=headers)
req = requests.post(submission_url, data=request_body, headers=headers)
res = requests.get(f"https://pypi.org/pypi/{GUARDRAILS_PACKAGE_NAME}/json")
req = requests.post(validation_endpoint, data=request_body, headers=headers)

Why it matters: Usually legitimate, but confirm the destinations are expected and no sensitive data leaves.

Fix: Confirm the destination hosts are expected and that no sensitive data is sent off-host.

Check your own component

Run the same evidence-backed scan on any MCP server, agent skill, or package.

Scan your own component

Or get notified if this component's risk changes:

How we determine this: deterministic static analysis (regex + AST), evidence-anchored, no code execution. Methodology →