rulesync
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The installation documentation suggests installing the tool by piping a remote shell script directly into bash (curl | bash), which is a common but inherently risky method for executing unverified code.
- [COMMAND_EXECUTION]: The tool implements a hook system (hooks.json) that permits the automatic execution of arbitrary shell commands and local scripts on specific lifecycle events such as session start or post-tool use.
- [REMOTE_CODE_EXECUTION]: The MCP server configuration (mcp.json) supports commands like npx and uvx, which are designed to download and execute packages or code from remote repositories at runtime.
- [PROMPT_INJECTION]: The skill describes an attack surface for indirect prompt injection where the tool fetches and processes rule files from external repositories (rulesync fetch and install). Ingestion points: Remote Git repositories (GitHub/GitLab) and local rule files. Boundary markers: None documented to prevent the agent from obeying instructions embedded in the data. Capability inventory: Execution of arbitrary shell hooks and MCP-based subprocesses. Sanitization: No documented validation or sanitization process for remote rule content.
- [COMMAND_EXECUTION]: Manual installation instructions include the use of sudo to move the downloaded binary into system-level execution paths like /usr/local/bin/.
- [EXTERNAL_DOWNLOADS]: The CLI provides built-in functionality for fetching rules, installing skills from declarative sources, and performing self-updates from GitHub.
Audit Metadata