rlm-init
Pass
Audited by Gen Agent Trust Hub on Apr 3, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands such as
mkdir -pandecho "{}" >using variables provided by the user (e.g.,<profiles_dir>,<cache_path>). This pattern introduces a risk of command injection or unauthorized file system modification if the user-supplied strings are not properly validated or sanitized by the agent platform before execution.\n- [PROMPT_INJECTION]: The 'Serial Agent Distillation' process in Step 6 involves reading and summarizing arbitrary project files. This creates an indirect prompt injection attack surface where malicious instructions embedded in the files being processed could influence the agent's behavior during the summarization task.\n - Ingestion points: Local files and folders identified for caching (e.g., docs, scripts, configs) as specified in the manifest file.\n
- Boundary markers: The instructions do not define specific delimiters or 'ignore' instructions for the agent when processing the content of the files for distillation.\n
- Capability inventory: The skill performs file system writes (
rlm_profiles.json, cache files), directory creation, and subprocess execution viapython3for auditing and inventory purposes.\n - Sanitization: There is no evidence of content sanitization or validation protocols to protect the agent from embedded instructions in the ingested file data.
Audit Metadata