tao-finetune-cosmos-embed
Warn
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the user to execute Docker containers with broad privileges that weaken the security sandbox between the container and the host.
- Evidence: Use of
--network=hostallows the container full access to host network interfaces. - Evidence: Use of
--ipc=hostallows the container to share the host's inter-process communication namespace. - Evidence: Elevated ulimits (
memlock=-1,stack=67108864) are used to grant the container broad access to host memory resources. - [CREDENTIALS_UNSAFE]: The skill instructions and configuration require passing a sensitive credential (
HF_TOKEN) into the container execution environment. - Evidence:
SKILL.mdandreferences/skill_info.yamlspecify the use of-e HF_TOKENto access gated model weights. - [EXTERNAL_DOWNLOADS]: The skill pulls external assets including Docker images and model weights.
- Evidence: Resolves and pulls images from
tao_toolkit.cosmos_embed. - Evidence: Downloads pretrained weights from
nvidia/Cosmos-Embed1-*repositories on HuggingFace. - [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted metadata files (JSON format) and video files which could potentially contain malicious instructions targeting the processing agent.
- Ingestion points: Untrusted JSON metadata files defined in
dataset.train_dataset.metadataand video files indataset.train_dataset.mp4_urls(SKILL.md). - Boundary markers: No delimiters or explicit instructions are provided to the agent to ignore embedded instructions within the processed data.
- Capability inventory: The skill executes shell commands (Docker) and performs file system writes to the
results/directory (SKILL.md, references/skill_info.yaml). - Sanitization: No evidence of validation or sanitization of the input metadata content before processing.
Audit Metadata