dspy

Warn

Audited by Gen Agent Trust Hub on Jun 29, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill includes code examples that utilize dynamic execution, such as the calculate tool in references/modules.md and references/examples.md which uses the eval() function on input strings. This pattern can lead to arbitrary code execution if inputs are not properly sanitized.
  • [REMOTE_CODE_EXECUTION]: The framework's dspy.ProgramOfThought module, highlighted in SKILL.md and references/modules.md, is designed to generate and execute Python code at runtime to solve problems, which introduces a dynamic execution attack vector.
  • [REMOTE_CODE_EXECUTION]: The installation instructions in SKILL.md provide a method for downloading and installing the framework directly from a remote Git repository (https://github.com/stanfordnlp/dspy.git).
  • [PROMPT_INJECTION]: The skill describes building systems that process external and untrusted data (RAG and Agents), creating an indirect prompt injection surface.
  • Ingestion points: Data enters the system via dspy.Retrieve in SKILL.md and references/examples.md, as well as tool outputs like search_wikipedia in references/examples.md.
  • Boundary markers: The provided implementation examples do not use delimiters or explicit instructions to distinguish between system instructions and retrieved data.
  • Capability inventory: The skill exhibits capabilities for dynamic code execution (eval, ProgramOfThought) and file/database interaction (ChromadbRM).
  • Sanitization: No input validation or sanitization logic is demonstrated for handling data retrieved from external sources.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 29, 2026, 12:55 AM
Security Audit — agent-trust-hub — dspy