fine-tuning-serving-openpi

Pass

Audited by Gen Agent Trust Hub on Jun 29, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill fetches the official OpenPI source code and pre-trained model weights from legitimate sources.
  • Downloads the main repository from https://github.com/Physical-Intelligence/openpi.git using git clone and synchronizes dependencies via uv sync.
  • Retrieves model checkpoints from Google Cloud Storage (gs://openpi-assets/checkpoints/) using gsutil.
  • Installs the openpi-client package directly from its official subdirectory in the OpenPI GitHub repository.
  • [COMMAND_EXECUTION]: The skill executes setup and runtime commands necessary for deep learning workflows.
  • Utilizes uv run to execute training, serving, and utility scripts (e.g., scripts/train.py, scripts/serve_policy.py).
  • Modifies the local Python environment by copying patch files directly into the installed transformers package directory (.venv/lib/python3.11/site-packages/transformers/) to ensure architectural compatibility for the Pi0 models.
  • [PROMPT_INJECTION]: The skill identifies an indirect prompt injection surface inherent to Vision-Language-Action (VLA) models.
  • Ingestion points: Untrusted data enters the agent context through the observation dictionary, specifically the prompt key (e.g., observation["prompt"] = "pick up the cup"), as documented in SKILL.md and references/remote-client-pattern.md.
  • Boundary markers: No explicit delimiter or "ignore instructions" markers are used in the prompt templates to separate user instructions from systemic task definitions.
  • Capability inventory: The skill's execution environment includes capabilities for shell command execution (uv run), file system writes (checkpointing), and network communication (WebSocket inference server).
  • Sanitization: No validation or sanitization of the natural language task prompts is documented prior to model inference.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 29, 2026, 12:55 AM
Security Audit — agent-trust-hub — fine-tuning-serving-openpi