skills/nvidia/skills/jetson-llm-serve/Gen Agent Trust Hub

jetson-llm-serve

Pass

Audited by Gen Agent Trust Hub on Jun 22, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to use sudo nvpmodel and sudo jetson_clocks. These are standard administrative commands for managing power profiles and clock frequencies on NVIDIA Jetson hardware to ensure consistent performance during model serving.
  • [EXTERNAL_DOWNLOADS]: The instructions reference several external container images, including vllm/vllm-openai:latest (upstream vLLM), ghcr.io/nvidia-ai-iot/vllm:latest-jetson-orin (NVIDIA-AI-IOT package), and nvcr.io/nvidia/sglang:26.01-py3 (NVIDIA NGC registry). These are well-known and vendor-owned repositories appropriate for the task.
  • [CREDENTIALS_UNSAFE]: The skill mentions the use of HF_TOKEN for accessing gated models on Hugging Face. Notably, the documentation includes a security warning explicitly advising against passing tokens as environment variables in shared environments and suggests safer alternatives like mounted credential files or Docker secrets.
  • [COMMAND_EXECUTION]: The skill suggests sourcing a local script skills/jetson-diagnostic/scripts/detect_jetson.sh to determine the hardware generation. This is a standard practice within the Jetson ecosystem to tailor configuration to specific hardware (Thor vs Orin).
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 22, 2026, 08:45 PM
Security Audit — agent-trust-hub — jetson-llm-serve