Skills
skills/ascend-ai-coding/awesome-ascend-skills/torch_npu/Gen Agent Trust Hub

torch_npu

Warn

Audited by Gen Agent Trust Hub on Mar 1, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The fetch_torch_npu_doc and fetch_torch_npu_docs_batch tools in mcp/index.js are vulnerable to path traversal. The tools use the path.join function to determine the save location for fetched files using a user-provided path argument. The sanitization logic only removes leading slashes and replaces backslashes, failing to prevent directory traversal via ../ sequences, which allows arbitrary file writes outside the intended fetched_docs directory.
  • [COMMAND_EXECUTION]: The installation instructions in mcp/README.md advise users to execute Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser. This modifies the system security configuration on Windows to allow the execution of unsigned scripts, increasing the potential attack surface of the host environment.
  • [EXTERNAL_DOWNLOADS]: The MCP server retrieves content from the external domain gitcode.com/Ascend/pytorch via the fetchUrl function. While GitCode is a known service, the skill downloads and writes this remote content to the local filesystem without verifying its integrity or safety.
  • [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface (Category 8).
  • Ingestion points: Remote documentation content is ingested from GitCode via the fetchUrl function in mcp/index.js.
  • Boundary markers: None are implemented to isolate the fetched content or identify it as untrusted data to the agent.
  • Capability inventory: The skill has file system write capabilities via fs.writeFileSync across its fetching tools.
  • Sanitization: The skill lacks proper sanitization for both the file paths and the content retrieved from the remote source.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 1, 2026, 11:03 AM