ml-ops-engineer
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill implements several data ingestion points that could serve as surfaces for indirect prompt injection if the processed data is passed to an LLM.
- Ingestion points: External data is ingested via the FastAPI
/predictendpoint,pd.read_csvin batch processing, andpd.read_parquetin Kubeflow components (SKILL.md). - Boundary markers: No delimiters or 'ignore embedded instructions' warnings are present in the provided code templates.
- Capability inventory: The skill patterns include file system access (read/write Parquet/CSV), network operations (FastAPI server), and model execution.
- Sanitization: No explicit sanitization or validation of the content within the ingested data is shown in the examples.
- [DYNAMIC_EXECUTION]: The skill demonstrates patterns for loading machine learning models using
mlflow.pyfunc.load_modelandxgboost.load_model. In a production environment, loading serialized models (such as those using pickle) from untrusted storage locations can lead to arbitrary code execution during deserialization.
Audit Metadata