design-patterns-ruby
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTION
Full Analysis
- [Dynamic Execution] (MEDIUM): The skill promotes the use of
Marshal.load(Marshal.dump(object))for implementing the Prototype pattern (deep cloning). - Evidence: Found in
SKILL.mdunder<deep_copy>andreferences/creational-patterns.mdunder the Prototype implementation. - Risk:
Marshal.loadis unsafe in Ruby because it can instantiate any class and be used for gadget-chain based Remote Code Execution (RCE). While the provided implementation dumps its own data immediately before loading, developers implementing this pattern might later apply it to data received from external or untrusted sources (e.g., cached objects, database blobs, or API payloads), leading to a critical vulnerability.
Audit Metadata