SkillTotal

Is langsmith safe?

langsmith is an AI python_package analyzed by SkillTotal's deterministic static scanner. The scan found no malicious indicators, though 5 risky constructs are reported for review. It can: filesystem read, filesystem write, network egress and shell execution — capabilities are what the code can do, not a verdict on intent. Risk score 10/100 (low).

langsmith 0.9.7

python_package · pypi:langsmith
LOW
10
/ 100 risk score
Snapshot · scanned Jul 3, 2026 · langsmith@0.9.7 · engine 0.24.0 / ruleset 25
No malicious indicators - review capabilities before installing
Notable — review in context (capabilities are not malware):
  • Python shell/command execution
  • Python filesystem write/delete
  • Python filesystem read

No malicious indicators found by static analysis.

Automated static-analysis result. It can contain false positives and false negatives, and is not a claim about the intent of langsmith's authors. Report a false positive.

Capabilities — what this component can do (not a risk score):
filesystem readfilesystem writenetwork egressshell execution

Findings (5)

HIGHPython shell/command executionST-SHELL-PY

The component can run operating-system commands or spawn processes.

subprocess.check_call(
            ["docker", "compose", "--version"],
            stdout=subprocess.DEVNULL,
            stderr=subprocess.DEVNULL,
        )
subprocess.check_call(
                ["docker-compose", "--version"],
                stdout=subprocess.DEVNULL,
                stderr=subprocess.DEVNULL,
            )

Why it matters: Powerful and often legitimate — confirm the commands aren't built from untrusted input.

Fix: Confirm the command and its arguments are fully controlled and not derived from untrusted input; avoid shell=True.

MEDIUMServer bound to all network interfacesST-EXPOSE-BIND

A server is bound to all network interfaces (0.0.0.0), not just your own machine.

{"localhost", "127.0.0.1", "0.0.0.0", "::1", "0:0:0:0:0:0:0:1"}
return ip == "127.0.0.1" or ip.startswith("0.0.0.0") or ip.startswith("::")

Why it matters: Without authentication, other hosts on the network can reach it.

Fix: Bind to 127.0.0.1 for local-only use, or require authentication and restrict access if remote exposure is intended.

MEDIUMPython filesystem readST-FS-PY-READ

The component reads files from disk.

with open(os.path.join(lock_dir, _LOCK_METADATA_FILE), encoding="utf-8") as f:
file = open(data_or_path, "rb")
raw = json.loads(path.read_text(encoding="utf-8"))
raw = json.loads(self._state.path.read_text(encoding="utf-8"))
return (path.name, path.read_bytes())
return pathlib.Path(file).read_bytes()
return (path.name, await path.read_bytes())
return await anyio.Path(file).read_bytes()
binary = await anyio.Path(data).read_bytes()
with open(csv_file, "rb") as f:
file = open(attachment_data, "rb")
audio_bytes = audio_path.read_bytes()

Why it matters: Usually legitimate, but worth confirming it can't be steered into reading sensitive files.

Fix: Confirm which files are read and that paths cannot be influenced by untrusted input to reach sensitive locations.

MEDIUMPython filesystem write/deleteST-FS-PY-WRITE

The component writes or deletes files on disk.

with open(meta, "w", encoding="utf-8") as f:
temp_path.write_text(json.dumps(config, indent=2) + "\n", encoding="utf-8")
temp_path.write_text(json.dumps(envelope))
with open(temp_path, "w") as f:

Why it matters: Usually legitimate, but worth confirming the paths can't be controlled by untrusted input.

Fix: Confirm which files are written/deleted and that paths cannot be influenced by untrusted input.

MEDIUMPython network egressST-NET-PY

The component makes outbound network requests.

from urllib.parse import urlencode
query = urlencode({"organizationId": organization_id})
from urllib3 import __version__ as urllib3version  # type: ignore[import-untyped]
from urllib3 import connection  # type: ignore[import-untyped]
headers["User-Agent"] = connection._get_default_user_agent()
import aiohttp.streams as aiohttp_streams
response = requests.post(
            f"{refresh_url}/oauth/token",
            data={
                "grant_type": "refresh_token",
                "client_id": _OAUTH_CLIENT_ID,
                "refresh_token": refresh_token, …
from httpx._config import (
        DEFAULT_TIMEOUT_CONFIG,  # pyright: ignore[reportPrivateImportUsage]
    )
from httpx._config import DEFAULT_TIMEOUT_CONFIG as HTTPX_DEFAULT_TIMEOUT
return httpx.QueryParams(cast(Any, self._options.params)).merge(url.params)
self._base_url = self._enforce_trailing_slash(URL(base_url))
headers = httpx.Headers(headers_dict)
self._base_url = self._enforce_trailing_slash(url if isinstance(url, URL) else URL(url))
DEFAULT_TIMEOUT = httpx.Timeout(timeout=90, connect=5.0)
DEFAULT_CONNECTION_LIMITS = httpx.Limits(max_connections=100, max_keepalive_connections=20)
from urllib.parse import parse_qs, urlencode
return urlencode(
            self.stringify_items(
                params,
                array_format=array_format,
                nested_format=nested_format,
            )
        )

Why it matters: Usually legitimate, but confirm the destinations are expected and no sensitive data leaves.

Fix: Confirm the destination hosts are expected and that no sensitive data is sent off-host.

Check your own component

Run the same evidence-backed scan on any MCP server, agent skill, or package.

Scan your own component

Or get notified if this component's risk changes:

How we determine this: deterministic static analysis (regex + AST), evidence-anchored, no code execution. Methodology →