gemini-rlm-min
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Dynamic Execution (HIGH): The skill documentation indicates the use of 'pickle files' for runtime state storage in the 'state/' directory. Deserializing untrusted data with 'pickle.load()' is a critical security flaw that allows for arbitrary code execution. A malicious document processed by the skill could potentially manipulate the content of these state files to execute commands.
- Indirect Prompt Injection (LOW): The skill processes untrusted documents provided via the '--context' parameter. Mandatory Evidence: 1. Ingestion points: The 'gem_rlm.py' orchestrator reads local files. 2. Boundary markers: No delimiters are specified to separate document content from processing instructions. 3. Capability inventory: The skill has 'Bash' permissions and executes local Python scripts. 4. Sanitization: No sanitization of ingested content is mentioned.
- Command Execution (MEDIUM): The skill utilizes 'Bash' and persistent Python REPL environments to process data, which provides a significant capability set that could be abused if the agent is compromised by malicious document content.
Recommendations
- AI detected serious security threats
Audit Metadata