nemo-evaluator-plugin
Fail
Audited by Socket on Jun 18, 2026
3 alerts found:
Securityx2Obfuscated FileSecurityassets/specs/llm_as_judge.json
MEDIUMSecurityMEDIUM
assets/specs/llm_as_judge.json
Securityassets/specs/exact_match_metric.json
MEDIUMSecurityMEDIUM
assets/specs/exact_match_metric.json
Obfuscated Fileassets/specs/exact_match_benchmark.json
HIGHObfuscated FileHIGH
assets/specs/exact_match_benchmark.json
The artifact configures an LLM evaluation against NVIDIA’s chat-completions API and computes metrics using embedded cloudpickle-serialized metric evaluators. No explicit malicious behavior or suspicious network destinations are shown, but the inclusion of cloudpickle payloads creates a significant supply-chain risk: if the evaluation runner unpickles these blobs, arbitrary code execution is possible under tampering or unsafe loading. Treat this as a security review requirement for deserialization provenance/integrity and sandboxing controls.
Confidence: 90%
Audit Metadata