abductive-repl
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill utilizes
julia -ewithin itsJustfileto execute arbitrary strings as code. It also provides a REPL interface (Gay.repl()) which is inherently designed for dynamic execution. This poses a risk if an attacker can influence the parameters passed to these commands. - [EXTERNAL_DOWNLOADS] (MEDIUM): The skill depends on a Julia project (
Gay.jl) and a Python package (abductive_repl) that are not from the provided list of trusted sources. These dependencies are unverifiable. - [DATA_EXPOSURE] (LOW): The configuration specifies a history file located at
~/.abductive_history. While standard for REPLs, it represents file system interaction with the user's home directory. - [INDIRECT_PROMPT_INJECTION] (MEDIUM): The skill processes external input (RGB values, IDs) through its commands and recipes. There is a lack of explicit sanitization or boundary markers shown in the provided documentation, creating a potential surface for injection if these inputs are interpolated into shell commands or REPL evaluations.
Audit Metadata