serving-llms-vllm

Fail

Audited by Gen Agent Trust Hub on Jun 29, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The troubleshooting guide in references/troubleshooting.md instructs the user or agent to use sudo to modify system firewall settings (sudo ufw allow 8000), which involves privilege escalation and modification of system security posture.
  • [REMOTE_CODE_EXECUTION]: The skill documents and encourages the use of the --trust-remote-code flag (e.g., in SKILL.md and references/troubleshooting.md). This flag allows the vLLM engine to download and execute arbitrary Python code contained within a model's repository from remote sources like Hugging Face, which represents a significant risk if the model source is untrusted or compromised.
  • [PROMPT_INJECTION]: The batch processing workflow in SKILL.md includes a data ingestion point where prompts are read from an external file (prompts.txt) and passed directly to the LLM engine without sanitization or boundary markers, creating a surface for indirect prompt injection.
  • Ingestion points: SKILL.md (Batch inference workflow reads prompts.txt into the engine).
  • Boundary markers: None identified in the provided instructions or scripts.
  • Capability inventory: The skill facilitates inference calls, file writing (results.jsonl), and network service hosting via vllm serve.
  • Sanitization: None identified; raw input from the file is passed directly to the model.
  • [EXTERNAL_DOWNLOADS]: The skill depends on external package managers (pip) and remote model repositories (Hugging Face) to fetch necessary dependencies and model weights. While these target well-known services, they establish a dependency chain on external, third-party content.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 29, 2026, 12:55 AM
Security Audit — agent-trust-hub — serving-llms-vllm