restate
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- External Downloads / Remote Code Execution (HIGH): The file
references/local-dev.mdprovides shell commands to download Restate Server and CLI binaries fromrestate.gateway.scarf.shand GitHub releases under therestatedevorganization. As neither the domain nor the organization are in the pre-approved trusted list, these instructions direct the agent to execute untrusted code. \n - Evidence:
curl -L --remote-name-all https://restate.gateway.scarf.sh/latest/restate-{server,cli}-$RESTATE_PLATFORM.tar.xzinreferences/local-dev.md. \n- Privilege Escalation (HIGH): Installation instructions inreferences/local-dev.mdsuggest usingsudoto move downloaded binaries into system-wide execution paths. \n - Evidence:
sudo mv restate $BIN && sudo mv restate-server $BINinreferences/local-dev.md. \n- Indirect Prompt Injection (HIGH): The skill provides patterns for building stateful handlers that ingest external, untrusted data from webhooks (references/guide-durable-webhooks.md) and Kafka topics (references/invoke-kafka.md). Given that Restate handlers have powerful capabilities likectx.run(arbitrary code execution) and state management, this creates a significant attack surface if the input data contains malicious instructions. \n - Ingestion points:
references/guide-durable-webhooks.md,references/invoke-kafka.md. \n - Boundary markers: Absent. \n
- Capability inventory: Durable execution of arbitrary code via
ctx.run, durable K/V state access, and external service calls (ctx.serviceClient). \n - Sanitization: Not provided in the documentation templates.
Recommendations
- AI detected serious security threats
Audit Metadata