RubyGems · rubygems.org

appsignal

Rb Install Time System: Direct shell invocation paired with eval/dynamic-require/network/deserialize.

Why PkgRadar flagged 4.8.5

Severity	Signal	Evidence
high	Rb Install Time System	Direct shell invocation paired with eval/dynamic-require/network/deserialize. · Rakefile
high	Rb Install Time Backticks	Backtick / %x() shell-out paired with eval/dynamic-require/network/deserialize. · Rakefile
high	Rb Install Time Unsafe Deserialize	Marshal.load / YAML.unsafe_load — RCE if attacker-controlled. · Rakefile
medium	Rb Install Time Eval	eval / instance_eval / class_eval — evaluates Ruby from a string. · Rakefile

Scanned versions

Version	Verdict	Score	Scanned (UTC)
`4.8.5`	Review	58	2026-06-02

Block this in CI

PkgRadar gates appsignal (and every other dependency) before it merges. One line in your pipeline:

pkgradar gate --ecosystem rubygems [email protected]