rlm-distill-agent
Pass
Audited by Gen Agent Trust Hub on Apr 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its core distillation process.\n
- Ingestion points: The agent is instructed to read the entire content of uncached files (using the
Readtool) identified as missing from the ledger.\n - Boundary markers: The instructions lack delimiters or safety warnings to distinguish between the file's data and the agent's instructions, specifically directing the agent to 'read deeply' for distillation.\n
- Capability inventory: The agent possesses
BashandWritecapabilities, enabling shell command execution and file system modifications if triggered by content within a summarized file.\n - Sanitization: No sanitization, escaping, or validation is performed on the content of the files before they are processed by the agent.\n- [COMMAND_EXECUTION]: The skill relies on the execution of local Python scripts to manage the summary cache.\n
- Evidence: The skill commands the use of
inventory.pyandinject_summary.pylocated within the skill's internal directory structure to identify missing files and update the cache ledger.\n- [EXTERNAL_DOWNLOADS]: The skill references external AI models and services for handling large batches of summarization tasks.\n - Evidence: The documentation suggests delegating tasks to an 'agent swarm' using services like Copilot, Gemini, and Claude. These are well-known technology services and represent standard integration for high-throughput tasks.
Audit Metadata