ruby-llm
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION] (LOW): Vulnerable to indirect prompt injection (Category 8). 1. Ingestion points: User messages and file uploads (PDF, images) processed in references/chat-api.md and references/rails-integration.md. 2. Boundary markers: Uses chat.with_system for context, but lacks explicit delimiters or instructions to ignore embedded commands in untrusted data. 3. Capability inventory: Database persistence via acts_as_chat, tool execution via RubyLLM::Tool, and potential filesystem access via MCP. 4. Sanitization: No explicit sanitization or validation of external content is demonstrated in the examples.
- [COMMAND_EXECUTION] (LOW): The embeddings reference (references/embeddings.md) suggests using Arel.sql with string interpolation for vector similarity searches. This is a best practice violation that could lead to SQL injection if the embedding input is not strictly validated as a numeric vector.
- [EXTERNAL_DOWNLOADS] (LOW): The MCP integration documentation (references/mcp-integration.md) recommends using npx to run Model Context Protocol servers, which may result in the download and execution of external Node.js packages at runtime.
Audit Metadata