serving-llms-vllm
Fail
Audited by Gen Agent Trust Hub on Jun 29, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The troubleshooting guide in
references/troubleshooting.mdinstructs the user or agent to usesudoto modify system firewall settings (sudo ufw allow 8000), which involves privilege escalation and modification of system security posture. - [REMOTE_CODE_EXECUTION]: The skill documents and encourages the use of the
--trust-remote-codeflag (e.g., inSKILL.mdandreferences/troubleshooting.md). This flag allows the vLLM engine to download and execute arbitrary Python code contained within a model's repository from remote sources like Hugging Face, which represents a significant risk if the model source is untrusted or compromised. - [PROMPT_INJECTION]: The batch processing workflow in
SKILL.mdincludes a data ingestion point where prompts are read from an external file (prompts.txt) and passed directly to the LLM engine without sanitization or boundary markers, creating a surface for indirect prompt injection. - Ingestion points:
SKILL.md(Batch inference workflow readsprompts.txtinto the engine). - Boundary markers: None identified in the provided instructions or scripts.
- Capability inventory: The skill facilitates inference calls, file writing (
results.jsonl), and network service hosting viavllm serve. - Sanitization: None identified; raw input from the file is passed directly to the model.
- [EXTERNAL_DOWNLOADS]: The skill depends on external package managers (
pip) and remote model repositories (Hugging Face) to fetch necessary dependencies and model weights. While these target well-known services, they establish a dependency chain on external, third-party content.
Recommendations
- AI detected serious security threats
Audit Metadata