dspy-ruby
Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The
SKILL.mdfile includes a 'Guidelines for Claude' section that provides specific behavioral instructions and best practices for the AI model when interacting with the framework. - [COMMAND_EXECUTION]: The
GitHubCLIToolsetdescribed inreferences/toolsets.mdwraps the official GitHub CLI (gh), allowing the agent to execute system commands for repository management. - [REMOTE_CODE_EXECUTION]: The framework includes
DSPy::CodeAct, a module that enables agents to synthesize and execute dynamic Ruby code to perform calculations or complex logic as part of a 'Think-Code-Observe' loop. - [EXTERNAL_DOWNLOADS]: The documentation references several external Ruby gems used as provider adapters and extensions, including
dspy-openai,dspy-anthropic,dspy-gemini, andruby_llm. - [DATA_EXFILTRATION]: The observability suite in
references/observability.mdis designed to export telemetry, traces, and evaluation scores to Langfuse (cloud.langfuse.com) for application monitoring. - [INDIRECT_PROMPT_INJECTION]: The framework's architecture for building agents that ingest external data (e.g., via GitHub CLI or web tools) presents an indirect injection surface.
- Ingestion points: Data retrieved via
GitHubCLIToolset(issue bodies, PR descriptions) or other tool observations entered into the agent's context. - Boundary markers: The framework utilizes structured data formats like
TOON(which uses fences) and JSON Schema to delimit LLM inputs and outputs. - Capability inventory: High-privilege capabilities include
CodeAct(Ruby execution) andGitHubCLIToolset(shell execution via CLI). - Sanitization: The framework mitigates risks by enforcing strict Sorbet type validation (
T::Struct,T::Enum) and JSON schema compliance for all tool and signature interactions.
Audit Metadata