verl-quickstart
Fail
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: Instructions in SKILL.md suggest using kill and kill -9 to terminate processes, which allows the agent to terminate arbitrary processes on the host system.
- [COMMAND_EXECUTION]: The docker run command in references/docker-ascend.md uses the --privileged flag, which grants the container elevated access to the host system and kernel.
- [COMMAND_EXECUTION]: In references/examples-scripts.md, the skill executes shell scripts using bash $RS, where the script path is derived from user-controllable input, potentially allowing execution of unintended code.
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface (Category 8).
- Ingestion points: User-provided variables such as SCRIPT_QUERY, MODEL_PATH, and RUN_SCRIPT in references/examples-scripts.md and SKILL.md.
- Boundary markers: Absent.
- Capability inventory: Shell command execution (bash), Docker management, and process termination (kill).
- Sanitization: User-controlled variables are interpolated directly into shell commands without validation or escaping.
- [EXTERNAL_DOWNLOADS]: Fetches Docker images from quay.io/ascend/verl and downloads model weights via modelscope, which are standard operations for the skill's purpose.
Recommendations
- AI detected serious security threats
Audit Metadata