rwkv-architecture
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill processes untrusted external text inputs while possessing high-tier capabilities like model execution and file writing. • Ingestion points: prompt in SKILL.md, long_document in SKILL.md, and user_1 in state-management.md. • Boundary markers: None identified. • Capability inventory: model.forward for execution and torch.save for file system writes. • Sanitization: No validation or filtering is implemented for external content.
- [Dynamic Execution] (MEDIUM): The state management guide demonstrates using torch.load without the weights_only=True safety parameter. • Evidence: torch.load('conversation_state.pt') in state-management.md. • Risk: This pattern is vulnerable to arbitrary code execution via malicious pickle payloads if state files are obtained from untrusted sources.
- [External Downloads] (LOW): The skill directs users to install several third-party packages via pip. • Finding: Commands to install rwkv, deepspeed, and ninja. • Status: Downgraded to LOW per trust rules as the instructions point to the official PyTorch repository and established community libraries.
Recommendations
- AI detected serious security threats
Audit Metadata