hyperpod-nccl

Pass

Audited by Gen Agent Trust Hub on May 20, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data from pod logs, CloudWatch, and remote system logs (dmesg). An adversary with control over a training workload could inject instructions into logs intended to manipulate the agent's behavior.\n
  • Ingestion points: Pod logs retrieved via kubectl logs and aws logs filter-log-events in scripts/nccl-diagnose.sh, and hardware logs via aws ssm start-session.\n
  • Boundary markers: None are used to distinguish untrusted log data from agent instructions.\n
  • Capability inventory: The agent can execute aws CLI, kubectl, and suggest helm or pip commands to the user.\n
  • Sanitization: The diagnostic script uses pattern matching to find errors but does not sanitize the logs before they are presented to the agent for analysis.\n- [COMMAND_EXECUTION]: The skill provides a diagnostic bash script that executes numerous shell commands and suggests high-privilege remediation actions. These include modifying hardware PCI settings (setpci), restarting system services (systemctl), and modifying node lifecycle scripts (on_create.sh) for persistence on cluster nodes.\n- [REMOTE_CODE_EXECUTION]: The diagnostic script constructs and executes a bash payload on remote HyperPod compute nodes using aws ssm start-session. Although this is a standard mechanism for cluster diagnostics, it involves the dynamic execution of code on remote infrastructure and could be misused if the generation logic is compromised.\n- [CREDENTIALS_UNSAFE]: The documentation provides IAM policy templates with broad resource access (e.g., Resource: "*"). If users implement these without further restriction, it results in an over-privileged environment.
Audit Metadata
Risk Level
SAFE
Analyzed
May 20, 2026, 12:02 PM
Security Audit — agent-trust-hub — hyperpod-nccl