rlm
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill instructs the agent to use bash, find, and grep for codebase traversal, and specifically directs the execution of a Python script located at a hardcoded path (~/.claude/skills/rlm/rlm.py). Since this script is not part of the skill distribution, its behavior is unverifiable and presents a high risk if a malicious script is pre-placed on the system.
- [REMOTE_CODE_EXECUTION] (HIGH): The 'Recovery Mode' protocol explicitly directs the agent to 'write a Python script... and run it' to perform analysis. Dynamic generation and execution of arbitrary code provide a powerful primitive for attackers to execute malicious logic that escapes static analysis.
- [DATA_EXPOSURE] (MEDIUM): The primary purpose of the skill is to recursively scan 'all files' in 'large repositories'. This behavior can lead to the exposure of sensitive files such as environment variables (.env), SSH keys, or configuration secrets if they are present in the directory structure being scanned.
- [INDIRECT_PROMPT_INJECTION] (LOW): The skill is highly vulnerable to indirect prompt injection because it reads untrusted data from files and interpolates it directly into the prompts of sub-agents launched via background_task. Ingestion points: Any file within the analyzed codebase. Boundary markers: None (e.g., no XML tags or escaping used for {content}). Capability inventory: bash, python3, background_task. Sanitization: None provided.
Recommendations
- AI detected serious security threats
Audit Metadata