tao-train-mask-auto-label

Warn

Audited by Socket on Jun 23, 2026

1 alert found:

Anomaly
AnomalyLOW
references/skill_info.yaml

No direct malicious code or network-exfiltration logic is visible in this YAML manifest because it is only a pipeline configuration. However, it delegates high-impact execution to an external entrypoint (`mal`) inside a specified container image (`tao_toolkit.pyt`), with stage behavior driven by an untrusted/variable config path and indirect relative template files. Multiple anomalies (ambiguous `mal` naming reused across fields, unusual container reference, hardcoded-looking encryption_key value, and tokenized output path) increase supply-chain review priority. The actual malware likelihood cannot be confirmed from this file alone; focus should be on validating the provenance and integrity of the container image/tool behind `mal` and the contents of the referenced spec templates.

Confidence: 44%Severity: 62%
Audit Metadata
Analyzed At
Jun 23, 2026, 12:10 PM
Package URL
pkg:socket/skills-sh/NVIDIA%2Fskills%2Ftao-train-mask-auto-label%2F@3b54bd33965da2050c129e54537308ad848bb7b6f85b3958a9baf1c56e8108dd
Security Audit — socket — tao-train-mask-auto-label