vllm-bench-serve
Warn
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill's orchestration scripts, specifically
scripts/auto_optimize.py, usesubprocess.run(shell=True)to execute benchmark commands constructed from concatenated strings. Other scripts likescripts/run_bench.shandscripts/run_batch.shutilizebash -cfor similar purposes. This practice of executing shell commands built from external or untrusted parameters without proper escaping is a known security risk. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting metadata from a remote inference service and using it in shell commands. In
scripts/probe_service.sh, the skill fetches model identifiers and weight paths from the service's/v1/modelsendpoint. These values are used directly as command-line arguments in subsequent benchmarking phases without sanitization. - Ingestion points: Data enters the skill context through the service discovery process in
scripts/probe_service.shwhich queries the target's/v1/modelsAPI. - Boundary markers: There are no boundary markers or instructions to isolate or ignore malicious content within the service-provided strings.
- Capability inventory: The skill possesses extensive command execution capabilities through its various shell and python scripts.
- Sanitization: No sanitization, escaping, or validation of the model IDs or paths is performed before they are interpolated into shell commands.
- [EXTERNAL_DOWNLOADS]: The skill is designed to download datasets from HuggingFace Hub, which is a common and established service for hosting machine learning datasets.
Audit Metadata