tao-run-platform
Pass
Audited by Gen Agent Trust Hub on Jun 18, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill maintains an attack surface for indirect prompt injection due to its handling of external configuration and data paths.
- Ingestion points: The skill processes user-supplied job parameters, platform-specific settings, and remote data URIs from S3, Hugging Face Hub, and NGC.
- Boundary markers: The instructions do not define specific delimiters or "ignore instructions" markers to separate untrusted external data from the agent's core instructions during job submission.
- Capability inventory: The skill utilizes
sdk.create_jobto execute shell commands across multiple environments, including DGX Cloud containers, remote GPU instances, and SLURM clusters. - Sanitization: The documentation does not specify sanitization or validation routines for user-provided configuration values before they are interpolated into container commands.
- [COMMAND_EXECUTION]: The skill performs dynamic script generation to create container entrypoints.
- The
build_entrypointfunction constructs shell commands that incorporate inlined, Base64-encoded scripts (heredocs). This is used to package a portable runtime (script_runner) that manages data I/O and configuration within the job container. - [EXTERNAL_DOWNLOADS]: The skill requires the installation of the
nvidia-tao-sdkpackage. - This dependency is sourced from a well-known organization and is necessary for the skill's primary execution tasks.
- [SAFE]: The skill adheres to best practices for managing sensitive information.
- It directs the agent to verify the existence of environment variables (such as
LEPTON_AUTH_TOKENandS3_BUCKET_NAME) rather than accessing or logging the actual values. Sensitive configuration is stored in local environment files (~/.config/tao/.env), which is a standard practice for secure local secret management.
Audit Metadata