fine-tuning-serving-openpi
Pass
Audited by Gen Agent Trust Hub on Jun 29, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches the official OpenPI source code and pre-trained model weights from legitimate sources.
- Downloads the main repository from
https://github.com/Physical-Intelligence/openpi.gitusinggit cloneand synchronizes dependencies viauv sync. - Retrieves model checkpoints from Google Cloud Storage (
gs://openpi-assets/checkpoints/) usinggsutil. - Installs the
openpi-clientpackage directly from its official subdirectory in the OpenPI GitHub repository. - [COMMAND_EXECUTION]: The skill executes setup and runtime commands necessary for deep learning workflows.
- Utilizes
uv runto execute training, serving, and utility scripts (e.g.,scripts/train.py,scripts/serve_policy.py). - Modifies the local Python environment by copying patch files directly into the installed
transformerspackage directory (.venv/lib/python3.11/site-packages/transformers/) to ensure architectural compatibility for the Pi0 models. - [PROMPT_INJECTION]: The skill identifies an indirect prompt injection surface inherent to Vision-Language-Action (VLA) models.
- Ingestion points: Untrusted data enters the agent context through the
observationdictionary, specifically thepromptkey (e.g.,observation["prompt"] = "pick up the cup"), as documented inSKILL.mdandreferences/remote-client-pattern.md. - Boundary markers: No explicit delimiter or "ignore instructions" markers are used in the prompt templates to separate user instructions from systemic task definitions.
- Capability inventory: The skill's execution environment includes capabilities for shell command execution (
uv run), file system writes (checkpointing), and network communication (WebSocket inference server). - Sanitization: No validation or sanitization of the natural language task prompts is documented prior to model inference.
Audit Metadata