Is langsmith safe?
langsmith is an AI python_package analyzed by SkillTotal's deterministic static scanner. The scan found no malicious indicators, though 5 risky constructs are reported for review. It can: filesystem read, filesystem write, network egress and shell execution — capabilities are what the code can do, not a verdict on intent. Risk score 10/100 (low).
langsmith 0.9.7
- Python shell/command execution
- Python filesystem write/delete
- Python filesystem read
No malicious indicators found by static analysis.
Automated static-analysis result. It can contain false positives and false negatives, and is not a claim about the intent of langsmith's authors. Report a false positive.
Findings (5)
The component can run operating-system commands or spawn processes.
subprocess.check_call(
["docker", "compose", "--version"],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL,
)subprocess.check_call(
["docker-compose", "--version"],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL,
)Why it matters: Powerful and often legitimate — confirm the commands aren't built from untrusted input.
Fix: Confirm the command and its arguments are fully controlled and not derived from untrusted input; avoid shell=True.
A server is bound to all network interfaces (0.0.0.0), not just your own machine.
{"localhost", "127.0.0.1", "0.0.0.0", "::1", "0:0:0:0:0:0:0:1"}return ip == "127.0.0.1" or ip.startswith("0.0.0.0") or ip.startswith("::")Why it matters: Without authentication, other hosts on the network can reach it.
Fix: Bind to 127.0.0.1 for local-only use, or require authentication and restrict access if remote exposure is intended.
The component reads files from disk.
with open(os.path.join(lock_dir, _LOCK_METADATA_FILE), encoding="utf-8") as f:
file = open(data_or_path, "rb")
raw = json.loads(path.read_text(encoding="utf-8"))
raw = json.loads(self._state.path.read_text(encoding="utf-8"))
return (path.name, path.read_bytes())
return pathlib.Path(file).read_bytes()
return (path.name, await path.read_bytes())
return await anyio.Path(file).read_bytes()
binary = data.read_bytes()
binary = await anyio.Path(data).read_bytes()
contents = Path(path).read_bytes()
with open(csv_file, "rb") as f:
file = open(attachment_data, "rb")
with open(path) as f:
with open(path) as f:
audio_bytes = audio_path.read_bytes()
with open(path) as f:
Why it matters: Usually legitimate, but worth confirming it can't be steered into reading sensitive files.
Fix: Confirm which files are read and that paths cannot be influenced by untrusted input to reach sensitive locations.
The component writes or deletes files on disk.
os.remove(filepath)
with open(filepath, "w") as f:
shutil.rmtree(path)
with open(meta, "w", encoding="utf-8") as f:
temp_path.write_text(json.dumps(config, indent=2) + "\n", encoding="utf-8")
with open(file, mode="wb") as f:
with open(file, mode="wb") as f:
temp_path.write_text(json.dumps(envelope))
with open(temp_path, "w") as f:
Why it matters: Usually legitimate, but worth confirming the paths can't be controlled by untrusted input.
Fix: Confirm which files are written/deleted and that paths cannot be influenced by untrusted input.
The component makes outbound network requests.
from urllib.parse import urlencode
query = urlencode({"organizationId": organization_id})from urllib3 import __version__ as urllib3version # type: ignore[import-untyped]
from urllib3 import connection # type: ignore[import-untyped]
headers["User-Agent"] = connection._get_default_user_agent()
import aiohttp.streams as aiohttp_streams
import requests
response = requests.post(
f"{refresh_url}/oauth/token",
data={
"grant_type": "refresh_token",
"client_id": _OAUTH_CLIENT_ID,
"refresh_token": refresh_token, …import httpx
from httpx import URL
from httpx._config import (
DEFAULT_TIMEOUT_CONFIG, # pyright: ignore[reportPrivateImportUsage]
)from httpx._config import DEFAULT_TIMEOUT_CONFIG as HTTPX_DEFAULT_TIMEOUT
return httpx.QueryParams(cast(Any, self._options.params)).merge(url.params)
self._base_url = self._enforce_trailing_slash(URL(base_url))
headers = httpx.Headers(headers_dict)
merge_url = URL(url)
self._base_url = self._enforce_trailing_slash(url if isinstance(url, URL) else URL(url))
import httpx
import httpx
DEFAULT_TIMEOUT = httpx.Timeout(timeout=90, connect=5.0)
DEFAULT_CONNECTION_LIMITS = httpx.Limits(max_connections=100, max_keepalive_connections=20)
import httpx
from urllib.parse import parse_qs, urlencode
return parse_qs(query)
return urlencode(
self.stringify_items(
params,
array_format=array_format,
nested_format=nested_format,
)
)Why it matters: Usually legitimate, but confirm the destinations are expected and no sensitive data leaves.
Fix: Confirm the destination hosts are expected and that no sensitive data is sent off-host.
Check your own component
Run the same evidence-backed scan on any MCP server, agent skill, or package.
Scan your own componentOr get notified if this component's risk changes:
How we determine this: deterministic static analysis (regex + AST), evidence-anchored, no code execution. Methodology →