SkillTotal

Is langchain-core safe?

langchain-core is an AI python_package analyzed by SkillTotal's deterministic static scanner. The scan found no malicious indicators, though 4 risky constructs are reported for review. It can: filesystem read, filesystem write, mcp tools detected and network egress — capabilities are what the code can do, not a verdict on intent. Risk score 0/100 (low).

langchain-core 1.4.8

python_package · pypi:langchain-core
LOW
0
/ 100 risk score
Snapshot · scanned Jul 2, 2026 · langchain-core@1.4.8 · engine 0.24.0 / ruleset 25
No malicious indicators - review capabilities before installing
Notable — review in context (capabilities are not malware):
  • Python network egress
  • Python filesystem read
  • Python filesystem write/delete

No malicious indicators found by static analysis.

Automated static-analysis result. It can contain false positives and false negatives, and is not a claim about the intent of langchain-core's authors. Report a false positive.

Capabilities — what this component can do (not a risk score):
filesystem readfilesystem writemcp tools detectednetwork egress

Findings (4)

MEDIUMPython filesystem readST-FS-PY-READ

The component reads files from disk.

Path(self.filename).open(self.mode, encoding="utf-8"),  # noqa: SIM115
return Path(self.path).read_text(encoding=self.encoding)
return Path(self.path).read_bytes()
with Path(self.path).open("rb") as f:
template = Path(template_file).read_text(encoding="utf-8")
template = resolved_path.read_text(encoding="utf-8")
template = Path(template_file).read_text(encoding=encoding)
content = pyproject_path.read_text(encoding="utf-8")
content = version_path.read_text(encoding="utf-8")
content = snapshot_path.read_text(encoding="utf-8", errors="replace")

Why it matters: Usually legitimate, but worth confirming it can't be steered into reading sensitive files.

Fix: Confirm which files are read and that paths cannot be influenced by untrusted input to reach sensitive locations.

MEDIUMPython filesystem write/deleteST-FS-PY-WRITE

The component writes or deletes files on disk.

Path(output_file_path).write_bytes(response.content)

Why it matters: Usually legitimate, but worth confirming the paths can't be controlled by untrusted input.

Fix: Confirm which files are written/deleted and that paths cannot be influenced by untrusted input.

MEDIUMPython network egressST-NET-PY

The component makes outbound network requests.

parsed = urllib.parse.urlparse(url)
parsed = urllib.parse.urlparse(url)
self._inner = httpx.AsyncHTTPTransport(**transport_kwargs)  # type: ignore[arg-type]
pinned_request = httpx.Request(
            method=request.method,
            url=pinned_url,
            headers=request.headers,  # Host header already set to original
            content=request.content,
            extensions=extension …
self._inner = httpx.HTTPTransport(**transport_kwargs)  # type: ignore[arg-type]
pinned_request = httpx.Request(
            method=request.method,
            url=pinned_url,
            headers=request.headers,
            content=request.content,
            extensions=extensions,
        )
return httpx.Client(
        transport=transport,
        **client_kwargs,  # type: ignore[arg-type]
    )
return httpx.AsyncClient(
        transport=transport,
        **client_kwargs,  # type: ignore[arg-type]
    )
encoded_bg_color = urllib.parse.quote(str(background_color), safe="")
response = requests.get(image_url, timeout=10, proxies=proxies)
from urllib.parse import urljoin, urlparse
parsed_base_url = urlparse(base_url_to_use)
parsed_url = urlparse(url)
parsed_link = urlparse(link)
absolute_path = urljoin(url, parsed_link.path)
parsed_path = urlparse(path)
from requests import HTTPError, Response

Why it matters: Usually legitimate, but confirm the destinations are expected and no sensitive data leaves.

Fix: Confirm the destination hosts are expected and that no sensitive data is sent off-host.

LOWMCP tool surface detectedST-MCP-DETECTED

An MCP tool surface (manifest or tool definitions) was found.

- **tool** -- from tools defined via `@tool` decorator or inheriting
@tool(extras={"defer_loading": True, "cache_control": {"type": "ephemeral"}})
@tool("search", return_direct=True)
@tool(response_format="content_and_artifact")
# e.g., @tool("name", runnable, "extra_arg")
# @tool("search", parse_docstring=True)
# @tool(parse_docstring=True)

Why it matters: Just context — review which tools it offers and their permissions.

Fix: Review the declared MCP tools and their permissions.

Check your own component

Run the same evidence-backed scan on any MCP server, agent skill, or package.

Scan your own component

Or get notified if this component's risk changes:

How we determine this: deterministic static analysis (regex + AST), evidence-anchored, no code execution. Methodology →