nv-reason-cxr
Warn
Audited by Gen Agent Trust Hub on Jun 18, 2026
Risk Level: MEDIUMPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill contains deceptive metadata and copyright headers claiming authorship by NVIDIA, which contradicts the actual provider's identity. This misrepresentation creates a false sense of trust in the skill's provenance.
- [EXTERNAL_DOWNLOADS]: Fetches model weights and assets from official NVIDIA repositories on Hugging Face and GitHub. These are well-known and trusted technology services.
- [COMMAND_EXECUTION]: Subprocess calls in the test and setup scripts are used to manage the execution environment and are restricted to the skill's own components.
- [REMOTE_CODE_EXECUTION]: Dynamic execution flags were investigated and found to be benign. The import call verifies dependency installation, and the eval call is a specific library method for model inference state rather than the standard Python execution builtin.
Audit Metadata