rallish-operator

Fail

Audited by Gen Agent Trust Hub on May 18, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill instructions in SKILL.md and SKILL.ko.md recommend a bootstrap method that pipes a remote shell script from GitHub directly into the shell (e.g., curl -fsSL ... | sh). This is a high-risk pattern as it executes unverified code from a remote source.
  • [EXTERNAL_DOWNLOADS]: The scripts/install-binary.sh script downloads compiled binary archives from the jazz1x/rallish repository on GitHub.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its data processing logic.
  • Ingestion points: Turn history and user/agent notes are read from ~/.rallish/sessions/<id>/log.jsonl.
  • Boundary markers: There are no markers or instructions to ignore embedded commands within the ingested log data.
  • Capability inventory: The skill uses Bash to execute commands and Read for file system access across all scripts.
  • Sanitization: The skill does not perform sanitization or validation on the "notes" received from other rally participants before incorporating them into its response logic.
  • [COMMAND_EXECUTION]: The skill executes various system commands, including the rallish CLI for session management, make build for local compilation, and rm -f for deleting socket files during crash recovery.
Recommendations
  • HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/jazz1x/rallish/main/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 18, 2026, 09:15 PM
Security Audit — agent-trust-hub — rallish-operator