mlflow
Pass
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: SAFEREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: Documentation includes the use of mlflow run with remote Git repository URLs, which allows for the execution of external code.
- [REMOTE_CODE_EXECUTION]: The custom model example utilizes pickle.load() for artifact loading, an unsafe deserialization pattern that can lead to code execution if artifacts are malicious.
- [COMMAND_EXECUTION]: The skill provides numerous CLI commands for tasks such as starting tracking servers, serving models, and executing projects.
- [CREDENTIALS_UNSAFE]: Examples in Docker Compose and backend store URI strings contain default credentials (mlflow:mlflow) and placeholders (user:pass).
- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface.
- Ingestion points: LLM prompt and response data logged in the GenAI tracking section (SKILL.md).
- Boundary markers: None identified.
- Capability inventory: CLI command execution and server operations (SKILL.md).
- Sanitization: None identified for logged output.
- [EXTERNAL_DOWNLOADS]: Instructs on downloading and installing packages from public registries via pip.
Audit Metadata