Scanning LangChain with AgentGuard: 380 Security Findings in the World's Most Popular Agent Framework
We ran AgentGuard v0.5.4 against the LangChain codebase (1,784 Python files). Here is what we found.
Summary
| Metric | Value |
|---|---|
| Files scanned | 1,784 |
| Total findings | 380 |
| Critical | 86 |
| High | 249 |
| Medium | 45 |
Breakdown by OWASP ASI Category
| Rule | Count | What it means |
|---|---|---|
| ASI09 Agent Loop | 233 | Unbounded agent loops -- no depth limit, recursion without exit |
| ASI10 Trust Boundary | 42 | Code that modifies itself at runtime |
| ASI02 Tool Abuse | 34 | Shell access, subprocess with shell=True, os.system exposed to agents |
| ASI03 Data Exfiltration | 26 | External URL calls, secret logging |
| ASI01 Prompt Injection | 19 | Untrusted input flowing into LLM prompts |
| ASI06 Unsafe Eval | 14 | eval(), exec(), pickle.loads() |
| ASI01 Taint Tracking | 4 | AST-traced source-to-sink data flow |
| ASI04 Excessive Agency | 4 | sudo/chmod/setuid access from agent context |
| ASI08 Context Manipulation | 4 | Unbounded context window without limits |
Top 5 Most Interesting Findings
1. Shell tool exposed to agent (CRITICAL)
File: libs/partners/anthropic/langchain_anthropic/middleware/bash.py:16
LangChain exposes a bash execution tool to agents. This is by design (it is a tool for agents to run commands), but it means any agent using this tool can execute arbitrary shell commands.
2. Agent self-modification (CRITICAL)
File: libs/core/langchain_core/tracers/root_listeners.py:67
The tracer uses setattr() to modify its own behavior at runtime. If an agent can influence the listener configuration, it could modify its own tracing/monitoring -- effectively becoming invisible.
3. Tainted data in LLM prompt (CRITICAL)
File: libs/langchain_v1/langchain/agents/middleware/tool_emulator.py:138
AgentGuard's AST taint tracker detected untrusted data flowing into a prompt variable without sanitization. This is a real prompt injection vector -- tool output is piped directly into the LLM.
4. Privilege escalation (CRITICAL)
File: libs/langchain/langchain_classic/storage/file_system.py:93
The file system storage includes sudo/chmod operations. If an agent can reach this code path, it could escalate privileges on the host.
5. Secret logging (CRITICAL)
File: libs/partners/openai/scripts/record_codex_cassettes.sh:97
Credentials being logged to stdout/logs. If these logs are collected by a monitoring system, the secrets are exposed.
What This Means
LangChain is the most popular AI agent framework. It powers thousands of production deployments. These findings do not mean LangChain is "broken" -- many of them are intentional design choices (agents need tools, tools need shell access).
However, the findings highlight that:
Agent security is not optional. When you give an agent tools, you are creating attack surface. Every
os.systemis a potential RCE if the agent can be prompt-injected.AST-based scanning works at scale. AgentGuard scanned 1,784 files in seconds and found real issues -- including taint flows that regex-only tools would miss.
OWASP ASI Top 10 is relevant. Every category fired on real code. This is not theoretical.
Try It Yourself
pip install dfx-agentguard
agentguard . --format text
Scan your own agent code. The findings might surprise you.
AgentGuard is MIT-licensed and available on GitHub and PyPI. This scan was performed on LangChain commit at July 2, 2026 using AgentGuard v0.5.4.
Top comments (0)