DEV Community

Dockfix Labs
Dockfix Labs

Posted on

Scanning LangChain with AgentGuard: 380 Security Findings in the World's Most Popular Agent Framework

Scanning LangChain with AgentGuard: 380 Security Findings in the World's Most Popular Agent Framework

We ran AgentGuard v0.5.4 against the LangChain codebase (1,784 Python files). Here is what we found.

Summary

Metric Value
Files scanned 1,784
Total findings 380
Critical 86
High 249
Medium 45

Breakdown by OWASP ASI Category

Rule Count What it means
ASI09 Agent Loop 233 Unbounded agent loops -- no depth limit, recursion without exit
ASI10 Trust Boundary 42 Code that modifies itself at runtime
ASI02 Tool Abuse 34 Shell access, subprocess with shell=True, os.system exposed to agents
ASI03 Data Exfiltration 26 External URL calls, secret logging
ASI01 Prompt Injection 19 Untrusted input flowing into LLM prompts
ASI06 Unsafe Eval 14 eval(), exec(), pickle.loads()
ASI01 Taint Tracking 4 AST-traced source-to-sink data flow
ASI04 Excessive Agency 4 sudo/chmod/setuid access from agent context
ASI08 Context Manipulation 4 Unbounded context window without limits

Top 5 Most Interesting Findings

1. Shell tool exposed to agent (CRITICAL)

File: libs/partners/anthropic/langchain_anthropic/middleware/bash.py:16

LangChain exposes a bash execution tool to agents. This is by design (it is a tool for agents to run commands), but it means any agent using this tool can execute arbitrary shell commands.

2. Agent self-modification (CRITICAL)

File: libs/core/langchain_core/tracers/root_listeners.py:67

The tracer uses setattr() to modify its own behavior at runtime. If an agent can influence the listener configuration, it could modify its own tracing/monitoring -- effectively becoming invisible.

3. Tainted data in LLM prompt (CRITICAL)

File: libs/langchain_v1/langchain/agents/middleware/tool_emulator.py:138

AgentGuard's AST taint tracker detected untrusted data flowing into a prompt variable without sanitization. This is a real prompt injection vector -- tool output is piped directly into the LLM.

4. Privilege escalation (CRITICAL)

File: libs/langchain/langchain_classic/storage/file_system.py:93

The file system storage includes sudo/chmod operations. If an agent can reach this code path, it could escalate privileges on the host.

5. Secret logging (CRITICAL)

File: libs/partners/openai/scripts/record_codex_cassettes.sh:97

Credentials being logged to stdout/logs. If these logs are collected by a monitoring system, the secrets are exposed.

What This Means

LangChain is the most popular AI agent framework. It powers thousands of production deployments. These findings do not mean LangChain is "broken" -- many of them are intentional design choices (agents need tools, tools need shell access).

However, the findings highlight that:

  1. Agent security is not optional. When you give an agent tools, you are creating attack surface. Every os.system is a potential RCE if the agent can be prompt-injected.

  2. AST-based scanning works at scale. AgentGuard scanned 1,784 files in seconds and found real issues -- including taint flows that regex-only tools would miss.

  3. OWASP ASI Top 10 is relevant. Every category fired on real code. This is not theoretical.

Try It Yourself

pip install dfx-agentguard
agentguard . --format text
Enter fullscreen mode Exit fullscreen mode

Scan your own agent code. The findings might surprise you.


AgentGuard is MIT-licensed and available on GitHub and PyPI. This scan was performed on LangChain commit at July 2, 2026 using AgentGuard v0.5.4.

Top comments (0)