dspy
Warn
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill documentation introduces the
dspy.ProgramOfThoughtmodule, which is designed to generate and execute Python code at runtime to solve logic and math problems. This creates a primary attack surface where malicious input could influence the model to generate and execute unauthorized code. - [COMMAND_EXECUTION]: The agent implementation examples in
references/examples.mdinclude acalculatetool that utilizes the Pythoneval()function to process mathematical expressions. Although it attempts to restrict the environment by removing builtins,eval()is a high-risk primitive that can be exploited for arbitrary code execution. - [EXTERNAL_DOWNLOADS]: The installation instructions in
SKILL.mdsuggest fetching the framework directly from a remote GitHub repository (github.com/stanfordnlp/dspy.git), which involves executing external code during the installation phase. - [PROMPT_INJECTION]: The skill's architecture exhibits a surface for indirect prompt injection due to its integration with external data sources and powerful execution capabilities. 1. Ingestion points: Data is ingested from Wikipedia summaries, web search results, and local document databases. 2. Boundary markers: The framework uses Signatures to structure inputs, but lacks explicit delimiters or instructions to ignore embedded commands in the retrieved data. 3. Capability inventory: The skill possesses the ability to execute generated Python scripts and use tools with expression evaluation access. 4. Sanitization: The provided examples do not demonstrate sanitization or filtering of external content before it is processed by the language model or execution modules.
Audit Metadata