rlm
Warn
Audited by Gen Agent Trust Hub on Jun 19, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/rlm_repl.pyis designed to execute arbitrary Python code provided via command-line arguments or standard input using theexec()function. This is the core functionality of the skill (a 'mini-REPL'). While intended for data processing, it allows for any Python command to be run in the local environment. - [DYNAMIC_EXECUTION]: The
cmd_execfunction inscripts/rlm_repl.pydirectly passes user-supplied code toexec(code, env, env). This creates a persistent environment where variables and state are maintained across multiple invocations. - [UNSAFE_DESERIALIZATION]: The script uses the
picklemodule to save and load the execution state to/from a local file (.claude/rlm_state/state.pkl). Becausepickle.load()can execute arbitrary code during deserialization, a malicious actor who can modify the state file could gain code execution when the skill next runs. - [DATA_EXFILTRATION]: The skill is specifically designed to ingest large context files (logs, docs, etc.) into a local Python environment. While there is no hardcoded exfiltration URL, the combination of arbitrary code execution (
exec) and access to sensitive local files (read via_read_text_file) provides a capability surface for data exfiltration if the agent is prompted to send the context externally.
Audit Metadata