tao-run-on-lepton

Pass

Audited by Gen Agent Trust Hub on Jun 18, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill fetches a bootstrap script (lepton_env_to_pytorch.sh) from the official Lepton GitHub repository (github.com/leptonai/scripts/main) to initialize the environment for multi-node training.
  • [REMOTE_CODE_EXECUTION]: During multi-node training initialization, the skill sources the shell script downloaded from the Lepton repository to translate environment variables for PyTorch distributed training.
  • [COMMAND_EXECUTION]: The skill uses shell commands in its preflight section to verify that the nvidia-tao-sdk and leptonai Python packages are installed correctly.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data into its execution workflow:
  • Ingestion points: The image, command, and inputs parameters in the LeptonSDK.create_job method (documented in SKILL.md) are derived from user input.
  • Boundary markers: No explicit boundary markers or delimiters are defined to isolate user-provided commands from the execution environment.
  • Capability inventory: The skill has the capability to execute arbitrary commands inside remote GPU containers and interact with S3-compatible storage.
  • Sanitization: There is no mention of sanitization or validation of the command string before it is passed to the job creation API.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 18, 2026, 04:35 PM
Security Audit — agent-trust-hub — tao-run-on-lepton