Is langchain-core safe?
langchain-core is an AI python_package analyzed by SkillTotal's deterministic static scanner. The scan found no malicious indicators, though 4 risky constructs are reported for review. It can: filesystem read, filesystem write, mcp tools detected and network egress — capabilities are what the code can do, not a verdict on intent. Risk score 0/100 (low).
langchain-core 1.4.8
- Python network egress
- Python filesystem read
- Python filesystem write/delete
No malicious indicators found by static analysis.
Automated static-analysis result. It can contain false positives and false negatives, and is not a claim about the intent of langchain-core's authors. Report a false positive.
Findings (4)
The component reads files from disk.
Path(self.filename).open(self.mode, encoding="utf-8"), # noqa: SIM115
return Path(self.path).read_text(encoding=self.encoding)
return Path(self.path).read_bytes()
with Path(self.path).open("rb") as f:template = Path(template_file).read_text(encoding="utf-8")
template = resolved_path.read_text(encoding="utf-8")
template = Path(template_file).read_text(encoding=encoding)
content = pyproject_path.read_text(encoding="utf-8")
content = version_path.read_text(encoding="utf-8")
content = snapshot_path.read_text(encoding="utf-8", errors="replace")
Why it matters: Usually legitimate, but worth confirming it can't be steered into reading sensitive files.
Fix: Confirm which files are read and that paths cannot be influenced by untrusted input to reach sensitive locations.
The component writes or deletes files on disk.
Path(output_file_path).write_bytes(response.content)
Why it matters: Usually legitimate, but worth confirming the paths can't be controlled by untrusted input.
Fix: Confirm which files are written/deleted and that paths cannot be influenced by untrusted input.
The component makes outbound network requests.
import urllib.parse
parsed = urllib.parse.urlparse(url)
parsed = urllib.parse.urlparse(url)
from urllib.parse import urlparse
parsed = urlparse(url_str)
import httpx
self._inner = httpx.AsyncHTTPTransport(**transport_kwargs) # type: ignore[arg-type]
pinned_request = httpx.Request(
method=request.method,
url=pinned_url,
headers=request.headers, # Host header already set to original
content=request.content,
extensions=extension …self._inner = httpx.HTTPTransport(**transport_kwargs) # type: ignore[arg-type]
pinned_request = httpx.Request(
method=request.method,
url=pinned_url,
headers=request.headers,
content=request.content,
extensions=extensions,
)return httpx.Client(
transport=transport,
**client_kwargs, # type: ignore[arg-type]
)return httpx.AsyncClient(
transport=transport,
**client_kwargs, # type: ignore[arg-type]
)import urllib.parse
import requests
encoded_bg_color = urllib.parse.quote(str(background_color), safe="")
response = requests.get(image_url, timeout=10, proxies=proxies)
from urllib.parse import urljoin, urlparse
parsed_base_url = urlparse(base_url_to_use)
parsed_url = urlparse(url)
parsed_link = urlparse(link)
absolute_path = urljoin(url, parsed_link.path)
parsed_path = urlparse(path)
from requests import HTTPError, Response
Why it matters: Usually legitimate, but confirm the destinations are expected and no sensitive data leaves.
Fix: Confirm the destination hosts are expected and that no sensitive data is sent off-host.
An MCP tool surface (manifest or tool definitions) was found.
- **tool** -- from tools defined via `@tool` decorator or inheriting
@tool(extras={"defer_loading": True, "cache_control": {"type": "ephemeral"}})@tool("search", return_direct=True)@tool(response_format="content_and_artifact")
@tool(parse_docstring=True)
# e.g., @tool("name", runnable, "extra_arg")# @tool("search")# @tool("search", parse_docstring=True)# @tool(parse_docstring=True)
Why it matters: Just context — review which tools it offers and their permissions.
Fix: Review the declared MCP tools and their permissions.
Check your own component
Run the same evidence-backed scan on any MCP server, agent skill, or package.
Scan your own componentOr get notified if this component's risk changes:
How we determine this: deterministic static analysis (regex + AST), evidence-anchored, no code execution. Methodology →