asset-harvester

Pass

Audited by Gen Agent Trust Hub on Jun 21, 2026

Risk Level: SAFE
Full Analysis
  • [EXTERNAL_DOWNLOADS]: Fetches source code from NVIDIA's official GitHub repository and model checkpoints from the 'nvidia/asset-harvester' Hugging Face repository. It also installs dependencies from the official PyTorch registry and the nerfstudio-project on GitHub.
  • [COMMAND_EXECUTION]: Uses Python's subprocess module in 'scripts/validate_setup.py' to verify system prerequisites such as NVIDIA drivers, GCC versions, and Conda availability. These checks are local and do not involve network execution.
  • [CREDENTIALS_UNSAFE]: Includes explicit guidance for handling Hugging Face authentication tokens (HF_TOKEN) securely. It provides code samples to verify token existence without leaking the secret to terminal logs or environment history.
  • [INDIRECT_PROMPT_INJECTION]: The skill processes external data including autonomous vehicle sensor logs (NCore V4) and user-supplied images.
  • Ingestion points: 'image_root' (images/masks) and 'component_store' (NCore V4 clip manifests).
  • Boundary markers: Relies on structured data formats (JSON, Zarr) for parsing logs.
  • Capability inventory: Includes subprocess calls for inference and environment validation in 'scripts/validate_setup.py' and 'run.sh'.
  • Sanitization: Employs standard machine learning libraries (PyTorch, safetensors) for data ingestion, which inherently limits direct prompt injection risks compared to free-text processing.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 21, 2026, 08:50 PM
Security Audit — agent-trust-hub — asset-harvester