Skip to Content
Core ConceptsCross-Framework Analysis

Cross-Framework Analysis

Inkog uses a unified analysis engine that works across all supported frameworks, providing consistent security results regardless of which tools you use.

The Challenge

AI agent codebases span multiple languages and frameworks:

  • Python agents built with LangChain, CrewAI, or AutoGen
  • TypeScript frontends with LlamaIndex
  • No-code workflows in n8n or Flowise
  • Custom agents mixing multiple languages

Traditional security tools require separate analyzers for each, missing cross-boundary vulnerabilities.

How Inkog Solves This

Inkog analyzes all supported frameworks using the same detection rules:

Your Code → Inkog Analysis → Security Report

This means:

  • Consistent detection - The same vulnerability patterns are caught whether you use LangChain or n8n
  • Framework-agnostic rules - Security rules apply across all frameworks
  • Cross-language analysis - Vulnerabilities that span Python and JavaScript are detected

What Gets Analyzed

Inkog examines:

  • User input handling - How external data enters your agent
  • LLM interactions - Prompts, completions, and tool calls
  • Data flow - How information moves through your application
  • Dangerous operations - Code execution, file access, database queries

Supported Input Types

TypeExamples
Python code.py files with LangChain, CrewAI, etc.
JavaScript/TypeScript.js, .ts files
Workflow definitionsn8n, Flowise JSON exports
Configuration filesYAML/JSON configs

Example

Whether your code looks like this:

# Python with LangChain
def chat(user_input):
    return llm.invoke(f"Answer: {user_input}")

Or this:

{
  "nodes": [{
    "type": "openai",
    "parameters": {
      "prompt": "={{ $json.body.message }}"
    }
  }]
}

Inkog detects the same prompt injection vulnerability in both.

The “Universal” Prefix

You’ll notice pattern names like universal_prompt_injection or universal_infinite_loop. The “Universal” prefix indicates:

  1. Framework-agnostic: The same pattern detects issues across all frameworks
  2. Language-independent: Works for Python, JavaScript, TypeScript, and JSON workflows
  3. IR-based: Detection operates on the normalized intermediate representation, not raw code

Why This Matters

Traditional tools need separate rules for each framework:

langchain_prompt_injection
crewai_prompt_injection
n8n_prompt_injection

Inkog uses a single universal pattern that catches the vulnerability regardless of how it’s expressed:

universal_prompt_injection → Works for all frameworks

This means:

  • Fewer false negatives: New frameworks get coverage automatically
  • Consistent severity: The same vulnerability gets the same score everywhere
  • Simpler maintenance: One pattern to update, not dozens

When you see “Universal” in a finding name, it means Inkog detected the pattern through its framework-agnostic analysis engine, not through framework-specific rules.

Last updated on
OverviewConfidence Calibration