ruby-version-manager
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Dynamic Execution (MEDIUM): The skill's primary mechanism relies on executing dynamically generated shell commands. Specifically,
SKILL.mdinstructs the agent to use anACTIVATION_COMMANDprovided bydetect.sh(a file referenced but not included in the provided set). Common examples includeeval "$(rbenv init -)"andsource .../chruby.sh. These patterns execute shell code generated or loaded at runtime, which is a high-risk pattern if the source output is compromised. - Indirect Prompt Injection (LOW): The skill proactively reads untrusted files from the project directory (e.g.,
Gemfile,.ruby-version,.tool-versions,.mise.toml). A malicious repository could craft these files to influence the agent's behavior or inject malicious strings into the variables parsed by the agent. - Ingestion points:
.ruby-version,.tool-versions,.mise.toml, andGemfileare read bydetect.shto determine versions. - Boundary markers: Absent; there are no instructions to ignore embedded commands within these project files.
- Capability inventory: The agent is authorized to execute shell commands (
bash), write configuration files (~/.config/ruby-skills/preference.json), and perform environment activation. - Sanitization: The provided scripts (e.g.,
set-preference.sh) include basic whitelisting for manager names, but the logic for parsing project files in the missingdetect.shcannot be verified. - Command Execution (LOW):
detect-all-managers.shusestimeout 1 bash -lcto verify the presence of managers likerbenv,rvm, andasdf. Running commands within a login shell (-l) is an environment-sensitive operation that can be influenced by malicious shell profiles (e.g.,.bash_profile).
Audit Metadata