dspy-ruby
Warn
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The framework includes a
CodeActagent (described inreferences/core-concepts.md) which is designed to synthesize and execute Ruby code at runtime based on LLM reasoning. This creates a risk of dynamic code execution if the agent's logic is manipulated by untrusted input. - [COMMAND_EXECUTION]: The
GitHubCLIToolset(documented inreferences/toolsets.md) wraps theghcommand-line interface, allowing the agent to execute shell commands to interact with GitHub repositories. Although intended for read-only tasks, this provides a mechanism for system command execution. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted inputs (e.g., email content in
SKILL.mdor user queries inreferences/toolsets.md) which are then interpolated into prompts driving powerful tools or code execution engines. - Ingestion points: Data enters through signatures like
EmailClassifierinSKILL.mdand input fields in toolsets. - Boundary markers: There are no explicit delimiters or 'ignore embedded instructions' warnings shown in the signature or module templates to prevent the LLM from obeying instructions within the processed data.
- Capability inventory: The skill possesses significant capabilities, including arbitrary Ruby code execution (
CodeAct) and shell command execution (GitHubCLIToolset). - Sanitization: While the framework enforces structure through Sorbet types, it does not demonstrate automated sanitization or escaping of the natural language content before it reaches the language model.
Audit Metadata