model-deployment
Warn
Audited by Gen Agent Trust Hub on Mar 19, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The Python implementation uses
joblib.load("model.pkl")to load the machine learning model.joblibinternally uses thepicklemodule, which is unsafe for loading untrusted data. A maliciously craftedmodel.pklfile could execute arbitrary code on the server during the application's startup phase. - [COMMAND_EXECUTION]: The skill generates Dockerfiles and Kubernetes manifests that contain shell commands for installing dependencies and running the API server. These automated generation steps involve executing system-level operations based on user-provided configurations.
- [EXTERNAL_DOWNLOADS]: The Dockerfile instructions include
pip installcommands that download packages from external registries, creating a dependency on external code and potential exposure to supply chain risks. - [PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection as it processes untrusted external artifacts like model files and requirements lists to generate deployment code.
- Ingestion points:
model.pklandrequirements.txtfiles provided by the user or target environment. - Boundary markers: Absent; there are no explicit delimiters or instructions to ignore embedded commands within the processed artifacts.
- Capability inventory: File system access, Docker image construction, and Kubernetes deployment manifest generation.
- Sanitization: Input validation using Pydantic is implemented for the API endpoints, but no validation or safety checks are applied to the model loading process itself.
Audit Metadata