tao-mine-aoi-images

Warn

Audited by Socket on Jun 23, 2026

1 alert found:

Anomaly
AnomalyLOW
references/reference-invocation.md

This snippet is a standard Docker-orchestrated ML pipeline with end-of-step artifact validation. There is no direct evidence of malicious code in the shell logic, but it introduces a meaningful supply-chain execution risk by dynamically selecting the container image/tool from a local versions.yaml (path controlled via TAO_SKILL_BANK_PATH) and executing it with the entire WORKSPACE mounted. If versions.yaml or the referenced image provenance is compromised, an attacker could run arbitrary container code that reads/writes host files under the mounted workspace. Pinning/verifying the container image by digest and tightening mount scope would materially reduce risk.

Confidence: 62%Severity: 58%
Audit Metadata
Analyzed At
Jun 23, 2026, 12:10 PM
Package URL
pkg:socket/skills-sh/NVIDIA%2Fskills%2Ftao-mine-aoi-images%2F@51985f37f68daabf88d5f9efd5ac57ddd2e9085ce3f3fd815ba5cee359b011cc
Security Audit — socket — tao-mine-aoi-images