tao-generate-image-grounding
Fail
Audited by Snyk on Jun 18, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 0.90). The prompt instructs the agent to collect API keys (e.g., vlm.gemini.api_key or api_key for OpenAI-compatible endpoints) and to place them into configuration/CLI overrides, which can require the LLM to accept and emit secret values verbatim.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.80). The skill explicitly requires running the TAO Toolkit container image nvcr.io/nvidia/tao/tao-toolkit:6.26.3-pyt as a prerequisite (and runs the pipeline inside that container), which fetches remote code that is executed at runtime and is a required dependency.
Issues (2)
W007
HIGHInsecure credential handling detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata