nemo-retriever

Fail

Audited by Gen Agent Trust Hub on Jun 18, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The installation guide (references/install.md) instructs the user to execute shell commands with elevated privileges (sudo apt-get install) to install host dependencies like libreoffice and ffmpeg.
  • [COMMAND_EXECUTION]: The skill uses Python scripts (scripts/filename_fast_path.py) that execute the retriever CLI tool via subprocess.run to perform document processing.
  • [EXTERNAL_DOWNLOADS]: During setup, the skill fetches the NeMo-Retriever source code from NVIDIA's official GitHub repository and downloads pre-trained model weights from HuggingFace.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by processing content from various untrusted document formats (PDF, Office, images, audio, video) into a searchable index.
  • Ingestion points: User-provided documents are processed from the local workspace (e.g., ./pdfs/ directory) into a LanceDB database.
  • Boundary markers: The agent instructions lack explicit markers or warnings to disregard instructions that may be embedded within the documents being retrieved.
  • Capability inventory: The agent can execute arbitrary shell commands via the Bash tool and run specialized scripts to query and manipulate the indexed data.
  • Sanitization: Extracted text and document metadata are provided to the agent for synthesis without sanitization or filtering of potential instruction-like content.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 18, 2026, 04:36 PM
Security Audit — agent-trust-hub — nemo-retriever