hyperpod-nccl
Pass
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data from pod logs, CloudWatch, and remote system logs (dmesg). An adversary with control over a training workload could inject instructions into logs intended to manipulate the agent's behavior.\n
- Ingestion points: Pod logs retrieved via
kubectl logsandaws logs filter-log-eventsinscripts/nccl-diagnose.sh, and hardware logs viaaws ssm start-session.\n - Boundary markers: None are used to distinguish untrusted log data from agent instructions.\n
- Capability inventory: The agent can execute
awsCLI,kubectl, and suggesthelmorpipcommands to the user.\n - Sanitization: The diagnostic script uses pattern matching to find errors but does not sanitize the logs before they are presented to the agent for analysis.\n- [COMMAND_EXECUTION]: The skill provides a diagnostic bash script that executes numerous shell commands and suggests high-privilege remediation actions. These include modifying hardware PCI settings (
setpci), restarting system services (systemctl), and modifying node lifecycle scripts (on_create.sh) for persistence on cluster nodes.\n- [REMOTE_CODE_EXECUTION]: The diagnostic script constructs and executes a bash payload on remote HyperPod compute nodes usingaws ssm start-session. Although this is a standard mechanism for cluster diagnostics, it involves the dynamic execution of code on remote infrastructure and could be misused if the generation logic is compromised.\n- [CREDENTIALS_UNSAFE]: The documentation provides IAM policy templates with broad resource access (e.g.,Resource: "*"). If users implement these without further restriction, it results in an over-privileged environment.
Audit Metadata