nemo-evaluator-plugin

Fail

Audited by Socket on Jun 18, 2026

3 alerts found:

Securityx2Obfuscated File
SecurityMEDIUM
assets/specs/llm_as_judge.json
SecurityMEDIUM
assets/specs/exact_match_metric.json
Obfuscated FileHIGH
assets/specs/exact_match_benchmark.json

The artifact configures an LLM evaluation against NVIDIA’s chat-completions API and computes metrics using embedded cloudpickle-serialized metric evaluators. No explicit malicious behavior or suspicious network destinations are shown, but the inclusion of cloudpickle payloads creates a significant supply-chain risk: if the evaluation runner unpickles these blobs, arbitrary code execution is possible under tampering or unsafe loading. Treat this as a security review requirement for deserialization provenance/integrity and sandboxing controls.

Confidence: 90%
Audit Metadata
Analyzed At
Jun 18, 2026, 04:34 PM
Package URL
pkg:socket/skills-sh/promptingcompany%2Fnv-skills%2Fnemo-evaluator-plugin%2F@8ba4d50ff9bafe60ac923b28f895bc366e43701a3119b8592e94610a013c2205
Security Audit — socket — nemo-evaluator-plugin