dspy-core
Warn
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The script
scripts/test-signature.pyusesimportlib.import_moduleto dynamically load Python modules based on user-provided CLI arguments, allowing for the execution of arbitrary module-level code during initialization. - [REMOTE_CODE_EXECUTION]: Documentation in
references/programs.mddemonstrates loading compiled programs usingdspy.load(..., allow_pickle=True). Deserializing untrusted data withpickleis an unsafe pattern that can lead to arbitrary code execution. - [COMMAND_EXECUTION]:
scripts/clear-cache.pyperforms recursive directory deletion usingshutil.rmtreeon a path controlled by the--cache-dirargument, which could be exploited to delete arbitrary directories. - [PROMPT_INJECTION]: Template files and documentation (e.g.,
assets/templates/program-template.py) demonstrate patterns where untrusted external data is passed directly to LLM components without sanitization or boundary markers, creating a surface for indirect prompt injection. - Ingestion points:
input_dataargument in various module templates withinassets/templates/program-template.py. - Boundary markers: None identified; input is interpolated directly into DSPy predictors.
- Capability inventory: The skill includes scripts for file system modification (
clear-cache.py) and dynamic code loading (test-signature.py). - Sanitization: No validation or escaping is applied to external content before processing.
Audit Metadata