rallish-operator
Fail
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructions in SKILL.md and SKILL.ko.md recommend a bootstrap method that pipes a remote shell script from GitHub directly into the shell (e.g.,
curl -fsSL ... | sh). This is a high-risk pattern as it executes unverified code from a remote source. - [EXTERNAL_DOWNLOADS]: The
scripts/install-binary.shscript downloads compiled binary archives from thejazz1x/rallishrepository on GitHub. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its data processing logic.
- Ingestion points: Turn history and user/agent notes are read from
~/.rallish/sessions/<id>/log.jsonl. - Boundary markers: There are no markers or instructions to ignore embedded commands within the ingested log data.
- Capability inventory: The skill uses
Bashto execute commands andReadfor file system access across all scripts. - Sanitization: The skill does not perform sanitization or validation on the "notes" received from other rally participants before incorporating them into its response logic.
- [COMMAND_EXECUTION]: The skill executes various system commands, including the
rallishCLI for session management,make buildfor local compilation, andrm -ffor deleting socket files during crash recovery.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/jazz1x/rallish/main/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata