dspy-ruby
Warn
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The framework supports dynamic code synthesis and execution through the
dspy-code_actgem. - Evidence: Documentation in
references/core-concepts.mddescribes a "Think-Code-Observe" agent that executes synthesized Ruby code. - [COMMAND_EXECUTION]: The skill includes a toolset for interacting with the GitHub CLI (
gh). - Evidence:
references/toolsets.mddefines theGitHubCLIToolset, which executes shell commands to perform GitHub operations like listing issues or making API requests. - [PROMPT_INJECTION]: The skill is designed to ingest and process untrusted external data, creating a surface for indirect prompt injection.
- Ingestion points: The
EmailClassifiersignature inSKILL.mdand various text-processing tools inreferences/toolsets.mdingest raw strings from external sources. - Boundary markers: The framework uses JSON schemas and structured outputs, but lacks explicit instructional delimiters to isolate untrusted content from system instructions.
- Capability inventory: The agent possesses high-impact capabilities including dynamic Ruby execution (
CodeAct) and GitHub CLI access. - Sanitization: While the framework enforces Sorbet types and filters internal metadata discriminators, it does not provide built-in sanitization for natural language content ingested into prompts.
Audit Metadata