soma
Fail
Audited by Gen Agent Trust Hub on May 4, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs users to install its management tool by piping a remote script directly to a shell (
curl -fsSL https://sup.soma.org | bash). Although this script is hosted on the vendor's own domain, shell-piping remote content is an unverified execution pattern that bypasses standard package manager safety checks. - [EXTERNAL_DOWNLOADS]: The workflow requires downloading several specialized libraries and datasets, including the
soma-sdkandsoma-modelspackages, and streaming the 'The Stack v2' dataset from HuggingFace for submission scoring. - [COMMAND_EXECUTION]: The skill relies on extensive use of the
somaCLI and themodalcloud platform to orchestrate GPU-intensive training and on-chain signing operations. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection attack surface because it ingests and processes untrusted source code and text from external datasets (e.g., The Stack v2) for next-byte prediction tasks.
- Ingestion points: Untrusted source code is streamed into the agent's context via the
stream_stack_v2function described in the submitter workflow. - Boundary markers: No explicit delimiters or 'ignore' instructions are provided to the agent to separate dataset content from instruction logic during processing.
- Capability inventory: The skill can execute shell commands via the
somaCLI, interact with the Modal cloud environment, and write data to public S3 buckets. - Sanitization: External content is processed as raw bytes for scoring and training without filtering for potential malicious natural language instructions.
Recommendations
- HIGH: Downloads and executes remote code from: https://sup.soma.org - DO NOT USE without thorough review
Audit Metadata