tao-run-automl
Fail
Audited by Snyk on Jun 18, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The prompt explicitly mandates prompting for and resolving llm_api_key (and the llm endpoint/model) before generating runner scripts, which requires the agent to accept an API key and likely embed or use it in generated commands/scripts rather than keeping it strictly as an environment-only secret.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill calls external LLM endpoints at runtime (e.g., https://inference-api.nvidia.com and the hardcoded fallback https://integrate.api.nvidia.com/v1) for the llm/hybrid/autoresearch algorithms, and responses from those endpoints directly drive hyperparameter proposals and agent decisioning, so they are runtime external dependencies that control prompts/behavior.
Issues (2)
W007
HIGHInsecure credential handling detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata