tao-port-huggingface-model
Pass
Audited by Gen Agent Trust Hub on Jun 18, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches container images from NVIDIA's official registry (nvcr.io) and model configurations and weights from the HuggingFace Hub. These are well-known and trusted technology services, and the downloads are essential for the skill's primary purpose.
- [COMMAND_EXECUTION]: Orchestrates complex Docker container lifecycles including GPU passthrough, large shared memory allocation (--shm-size=16G), and bind-mounting the host's working directory to /workspace. While standard for TAO development, this involves high-privilege operations and extensive host filesystem interaction.
- [PROMPT_INJECTION]: Exhibits a surface for indirect prompt injection by ingesting and processing untrusted metadata and configuration files from the HuggingFace Hub.
- Ingestion points: Phase 1.5 and 1.6 read architecture data and model configurations from external model IDs on the HuggingFace Hub.
- Boundary markers: The instructions do not prescribe explicit delimiters or 'ignore embedded instructions' warnings when the agent processes model metadata.
- Capability inventory: The agent has the capability to write files, execute shell commands, and orchestrate Docker containers with host-system access.
- Sanitization: Basic validation is performed on the pipeline_tag, but the skill lacks comprehensive sanitization of the structured data ingested from external sources.
Audit Metadata