Skills
skills/ascend-ai-coding/awesome-ascend-skills/vllm-ascend-server/Gen Agent Trust Hub

vllm-ascend-server

Fail

Audited by Gen Agent Trust Hub on Apr 18, 2026

Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill provides deployment templates using sshpass with hardcoded password placeholders (-p 'password'), which encourages insecure credential handling and increases the risk of password exposure in shell history or process listings.
  • [COMMAND_EXECUTION]: The workflow includes instructions for the agent to terminate arbitrary system processes via kill -9 based on user-provided or discovered PIDs, which can lead to accidental or malicious system instability.
  • [COMMAND_EXECUTION]: Several Docker deployment templates recommend the use of the --privileged flag, which bypasses container isolation and grants the container full access to the host system resources and devices.
  • [REMOTE_CODE_EXECUTION]: Multiple configuration files and launch templates explicitly enable the --trust-remote-code flag for vLLM. This setting allows the execution of arbitrary Python code embedded within model repositories or weight files, posing a significant risk if the model source is compromised.
  • [EXTERNAL_DOWNLOADS]: The skill instructs the agent to perform runtime installation of Python packages (pip install vllm vllm-ascend) without version pinning or checksum verification, making it vulnerable to supply chain attacks or environment inconsistencies.
  • [DATA_EXFILTRATION]: The skill facilitates the transmission of commands and model configurations to remote servers via SSH, creating a pathway for sensitive data or model weights to be moved across network boundaries.
  • [INDIRECT_PROMPT_INJECTION]: The skill automatically discovers and parses external configuration files (config.json, quant_model_description.json) to dynamically generate shell commands for server deployment. This ingestion of untrusted data into command generation represents a potential injection vector.
  • Ingestion points: Found in Phase 2 (Model Discovery) where it searches for and reads config.json files from paths like /home/weights.
  • Boundary markers: No delimiters or safety warnings are present to prevent malicious instructions inside these metadata files from influencing the generated shell commands.
  • Capability inventory: The skill possesses capabilities for shell execution, Docker management (docker run, docker exec), SSH communication, and process termination (kill -9).
  • Sanitization: No evidence of sanitization or validation of the values extracted from the model configuration files was observed before they are interpolated into execution strings.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 18, 2026, 03:04 AM
Security Audit — agent-trust-hub — vllm-ascend-server