sruja-architecture
Fail
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructions and helper scripts (found in SKILL.md, scripts/README.md, and agents/skill.yaml) suggest installing the Sruja CLI using 'curl -fsSL https://sruja.ai/install.sh | bash'. This pattern involves executing remote code directly in the shell. While the domain belongs to the skill author, it is a significant execution vector.
- [EXTERNAL_DOWNLOADS]: The skill references and downloads configuration and scripts from the author's official domains and repositories, specifically sruja.ai and github.com/sruja-ai/sruja.
- [COMMAND_EXECUTION]: The skill contains shell scripts (scripts/collect-evidence.sh and scripts/validate-refine.sh) that execute the sruja CLI for tasks like 'discover', 'lint', and 'drift', and manage local file creation for results.
- [PROMPT_INJECTION]: The skill exhibits risk for indirect prompt injection (Category 8). 1. Ingestion points: The skill reads local repository metadata and code structures through 'sruja discover' and file reads of '.sruja/context.json'. 2. Boundary markers: There are no explicit instructions or delimiters used to prevent the LLM from obeying instructions embedded in the analyzed code. 3. Capability inventory: The skill can execute subprocesses via the 'sruja' CLI and perform file system writes (e.g., repo.sruja). 4. Sanitization: No evidence of sanitization or escaping is present for the data gathered from the analyzed repository.
Recommendations
- HIGH: Downloads and executes remote code from: https://sruja.ai/install.sh - DO NOT USE without thorough review
Audit Metadata