simready-foundation-create-package
Warn
Audited by Gen Agent Trust Hub on Jun 22, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The script
assets/scripts/sr_pkg_sample/_conformance_writer.pycontains multiple calls to theeval()function withinbuild_asset_results. It processes strings for 'dependencies' and 'failing requirements' retrieved from the validation engine's summary. Usingeval()on data that could be influenced by external assets is a dangerous practice as it allows for arbitrary code execution. The saferast.literal_eval()should be used for parsing Python literal structures. - [EXTERNAL_DOWNLOADS]: The
setup_venv.shscript andrequirements-package-sample.txtfacilitate the download and installation of Python packages fromhttps://pypi.nvidia.com/. These resources originate from the vendor's own infrastructure and are used for establishing the necessary runtime environment for the skill's bundled scripts.
Audit Metadata