Skills
skills/jdubray/puffin/rlm/Gen Agent Trust Hub

rlm

Warn

Audited by Gen Agent Trust Hub on Apr 17, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [DYNAMIC_EXECUTION]: The script scripts/rlm_repl.py uses the exec() function to run arbitrary Python code provided through command-line arguments or standard input. This is a powerful feature that allows the agent to execute any Python command in the local environment.
  • [DYNAMIC_EXECUTION]: The skill uses pickle.load() in scripts/rlm_repl.py to restore state from a local file (.claude/rlm_state/state.pkl). Because pickle is inherently insecure, if an attacker or a malicious process modifies this state file, it can lead to arbitrary code execution the next time the REPL is initialized or used.
  • [INDIRECT_PROMPT_INJECTION]: The skill's core purpose is to process large, untrusted context files, which represents a significant attack surface.
  • Ingestion points: The init command in rlm_repl.py reads a user-specified context file and stores its content in the persistent state.
  • Boundary markers: The skill does not suggest or implement specific delimiters or 'ignore' instructions to prevent the agent from obeying commands embedded within the large context files.
  • Capability inventory: The skill provides the agent with full Python execution (exec), directory creation, file writing (write_chunks), and generic tool access (Bash, Write, Edit) to process the data.
  • Sanitization: There is no evidence of sanitization or validation of the input data before it is loaded into the REPL environment or used by the agent and its subagents.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 17, 2026, 01:36 AM