Skills
skills/everyinc/compound-engineering-plugin/dspy-ruby/Gen Agent Trust Hub

dspy-ruby

Warn

Audited by Gen Agent Trust Hub on Mar 27, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The framework provides a CodeAct predictor (via the dspy-code_act gem) that synthesizes and executes Ruby code at runtime to solve tasks. This capability allows an LLM to run arbitrary logic, which represents a significant security surface if the agent is given autonomy or processes untrusted data without sandboxing.
  • [COMMAND_EXECUTION]: Built-in toolsets such as TextProcessingToolset and GitHubCLIToolset execute system-level commands (e.g., grep, wc, ripgrep, and the gh CLI). These tools rely on LLM-generated arguments, which creates a risk of command injection if inputs are not properly validated before execution.
  • [DATA_EXFILTRATION]: The integrated observability system (dspy-o11y-langfuse) is designed to export detailed execution traces—including prompts, responses, and internal metadata—to the external Langfuse service. Users should ensure that sensitive data handled by the framework is appropriate for transmission to a third-party platform.
  • [PROMPT_INJECTION]: The skill's architecture for building agents that ingest external data (such as email content or search results) is susceptible to indirect prompt injection. Malicious instructions embedded in processed content could potentially override the agent's intended behavior or exploit its powerful code execution and tool-calling capabilities.
  • Ingestion points: Data enters the agent context through signatures like EmailClassifier (email_content) and modules that process user-supplied queries or research results.
  • Boundary markers: The documentation recommends using a "Typed Context Pattern" to organize data, but the framework does not strictly enforce boundary markers to separate data from instructions by default.
  • Capability inventory: The framework has high-privilege capabilities including arbitrary Ruby code execution (CodeAct) and shell command execution via Unix and GitHub toolsets.
  • Sanitization: There is no evidence of built-in sanitization for external content before it is interpolated into prompts.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 27, 2026, 05:51 PM