Skills
skills/whamp/pi-rlm/rlm/Gen Agent Trust Hub

rlm

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION] (HIGH): Arbitrary File Read Vulnerability in read_chunk tool.
  • Evidence: In extensions/rlm_tools.ts, the read_chunk tool accepts an absolute path parameter and uses resolve(ctx.cwd, path) before calling readFile.
  • Risk: In Node.js, path.resolve with an absolute path as the second argument returns that absolute path, bypassing any intended directory restrictions. This allows the agent to read sensitive files anywhere on the host system (e.g., ~/.ssh/id_rsa, /etc/passwd).
  • [COMMAND_EXECUTION] (HIGH): Risk of Code Execution via Agent-Controlled REPL.
  • Evidence: The skill documentation (SKILL.md) and examples (e.g., examples/01_basic_workflow.py) show the agent is encouraged to construct and execute Python code via the rlm_repl.py script using the exec -c flag.
  • Risk: This provides a direct path to Remote Code Execution (RCE) on the host. While part of the skill's design, it becomes a critical vulnerability when combined with the lack of input sanitization for the data being processed.
  • [PROMPT_INJECTION] (HIGH): High Vulnerability to Indirect Prompt Injection (Category 8).
  • Ingestion Points: Large untrusted files (logs, transcripts, scraped pages) are loaded via rlm_repl.py init.
  • Boundary Markers: None. The instructions and documentation do not mention any delimiters or instructions to ignore embedded commands in the processed data.
  • Capability Inventory: The skill has access to subprocess.run (via Python scripts), file read/write (via write_chunks and read_chunk), and the ability to trigger further LLM sub-agents (rlm-subcall).
  • Sanitization: None. Data is processed raw and passed to the REPL and sub-agents.
  • Risk: An attacker could embed malicious instructions in a log file or document that, when 'analyzed' by the agent, triggers the execution of malicious Python code or exfiltrates sensitive data using the read_chunk tool.
  • [NO_CODE] (MEDIUM): Missing Core Script.
  • Evidence: The core logic file scripts/rlm_repl.py is referenced throughout the skill (README, SKILL.md, tests) but is absent from the provided file set. This prevents a full audit of the most sensitive component which handles code execution and state serialization.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 06:36 AM