fix(security): Replace eval() with json.loads() in queue_step_handler.py for safer LLM output processing

[liangzhang-keepmoving]

Security Fix

This PR addresses the security vulnerability in superagi/agent/queue_step_handler.py where eval() was being used on LLM output.

The Problem

The _process_reply method was using eval() to parse LLM responses that were expected to be JSON arrays. This could allow an indirect prompt injection to cause the LLM to generate malicious Python code that gets executed.

The Solution

Replaced eval() with json.loads() which safely parses JSON data without executing arbitrary code.

Changes Made

1. Added import json inside the _process_reply method
2. Changed task_array = np.array(eval(assistant_reply)).flatten().tolist() to task_array = np.array(json.loads(assistant_reply)).flatten().tolist()

Testing

The fix maintains the same functionality while providing a safe alternative to eval() for parsing JSON responses from the LLM.

This is part of a series of PRs to fix all eval() usage vulnerabilities in the codebase.

[liangzhang-keepmoving]

@TransformerOptimus/maintainers Could you please review this security fix PR when you have a chance?

This PR fixes a security issue by replacing eval() with json.loads() in queue_step_handler.py for safer LLM output processing. Using eval() on untrusted LLM output can potentially allow arbitrary code execution, which is a serious security vulnerability.

The fix is simple and focused: it changes the code to use json.loads() instead of eval() when parsing LLM output, which is much safer since it only parses JSON data and doesn't execute any code.

This is an important security fix that should be reviewed promptly to protect users from potential attacks.

Thank you for your time!

[liangzhang-keepmoving]

@TransformerOptimus/maintainers This PR has been approved and is ready for merge. Please help merge this security fix.