Skills
skills/bbuf/sglang-auto-driven-skills/llm-torch-profiler-analysis/Gen Agent Trust Hub

llm-torch-profiler-analysis

Warn

Audited by Gen Agent Trust Hub on May 3, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: Multiple shell scripts (e.g., run_sglang_torch_profile_host.sh, run_llm_single_model_matrix_host.sh) perform extensive host-level command execution, including docker run, docker exec, and pkill. These scripts directly interpolate user-provided arguments like --model, --port, and --gpus into shell commands, which presents a risk of command injection if the inputs are not strictly validated.
  • [CREDENTIALS_UNSAFE]: The skill orchestrates the propagation of sensitive authentication tokens, specifically HF_TOKEN and HUGGINGFACE_HUB_TOKEN. These credentials are passed from the host environment into Docker containers and child processes to enable model downloads from Hugging Face.
  • [COMMAND_EXECUTION]: The logic in scripts/make_trtllm_py_executor_override.py performs dynamic source code modification. It reads the library file py_executor.py from a TensorRT-LLM container, patches it to inject with_stack=True via string manipulation, and writes the modified code to a file that is mounted back into the container as a runtime override.
  • [EXTERNAL_DOWNLOADS]: The skill automates the retrieval of external assets from well-known registries, including Docker images from NVIDIA (nvcr.io) and vLLM, as well as model weights from Hugging Face. These downloads are documented as safe functionality within the author's intended workflow.
  • [DATA_EXFILTRATION]: The skill accesses local files (e.g., in /data/bbuf) and makes network requests to local LLM serving endpoints to capture and process performance data.
  • [PROMPT_INJECTION]: The skill possesses a surface area for indirect prompt injection through its ingestion of untrusted performance trace data. Evidence chain: 1. Ingestion points: load_trace_json in scripts/profile_common.py reads external JSON trace files. 2. Boundary markers: Absent; the skill processes trace data without explicit delimiters or warnings to ignore embedded content. 3. Capability inventory: High-privilege access including host-level process management and container execution. 4. Sanitization: Absent; content from trace files is interpolated directly into markdown triage tables.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 3, 2026, 03:23 AM