tao-run-on-lepton
Pass
Audited by Gen Agent Trust Hub on Jun 18, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches a bootstrap script (
lepton_env_to_pytorch.sh) from the official Lepton GitHub repository (github.com/leptonai/scripts/main) to initialize the environment for multi-node training. - [REMOTE_CODE_EXECUTION]: During multi-node training initialization, the skill sources the shell script downloaded from the Lepton repository to translate environment variables for PyTorch distributed training.
- [COMMAND_EXECUTION]: The skill uses shell commands in its preflight section to verify that the
nvidia-tao-sdkandleptonaiPython packages are installed correctly. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data into its execution workflow:
- Ingestion points: The
image,command, andinputsparameters in theLeptonSDK.create_jobmethod (documented inSKILL.md) are derived from user input. - Boundary markers: No explicit boundary markers or delimiters are defined to isolate user-provided commands from the execution environment.
- Capability inventory: The skill has the capability to execute arbitrary commands inside remote GPU containers and interact with S3-compatible storage.
- Sanitization: There is no mention of sanitization or validation of the
commandstring before it is passed to the job creation API.
Audit Metadata