abductive-monte-carlo

Warn

Audited by Gen Agent Trust Hub on May 14, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The Justfile contains a task that interpolates user-controlled variables directly into a shell command string.
  • Evidence: In SKILL.md, the abduce-proof command: emacs --batch -l causal-catcolab --eval "(abductive-mcmc-infer-proof-history \"$(goal)\" 5000)".
  • Risk: The use of $(goal) without sanitization allows an attacker to inject arbitrary Emacs Lisp or shell commands by providing a crafted goal string (e.g., using unbalanced quotes or command substitution).
  • [EXTERNAL_DOWNLOADS]: The skill refers to several external software packages and libraries required for its execution.
  • Evidence: Mentions of Julia packages Gay.jl, MonteCarloMeasurements, and AbductiveMC, along with the Emacs library causal-catcolab.
  • Note: These resources are documented as dependencies for the skill's logic.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 14, 2026, 12:17 AM
Security Audit — agent-trust-hub — abductive-monte-carlo