agentic-radar

CRITICAL VULNERABILITIES DETECTED: - Arbitrary Code Execution (ACE) via `eval()`: The `calculate` tool in `examples/openai-agents/mcp/multiple_servers_in_async_with/multiple_servers_in_async_with.py` directly uses `eval(expression)`, which is a severe vulnerability. If user input can reach this function, an attacker can execute arbitrary code on the host system. - Unrestricted External Command Execution: Examples utilize `MCPServerStdio` with `npx` or `uvx` to run external MCP servers (e.g., `@modelcontextprotocol/server-filesystem`, `mcp-server-git`). This introduces significant risks, as it allows the execution of unverified or potentially malicious external packages, especially if arguments can be manipulated by an attacker. - Potential Server-Side Request Forgery (SSRF): In `examples/openai-agents/mcp/sse_example/server.py`, `requests.get(f"{endpoint}/{city}")` is used, where `city` is derived from LLM input. While `wttr.in` is benign, this pattern could be exploited for SSRF if the target URL or input is manipulated to access internal network resources. - JSON Parsing Risks: `json.loads` is used in several places (e.g., `examples/langgraph/Gladiator2/nodes/researcher.py`, `examples/langgraph/Gladiator2/Tools/create_tools.py`). Although safer than `eval`, improper error handling for malformed JSON from untrusted sources could lead to denial of service. - Data Handling: The system processes sensitive employee data and supplier liability contracts. While `PIIProtectionStep` is noted for prompt hardening, comprehensive, system-level access control and sanitization are essential to prevent sensitive information disclosure across all data interactions.