funsloth-local
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill establishes a workflow for processing untrusted external data (training datasets) while possessing high-privilege capabilities. 1. Ingestion: External datasets are loaded via the
datasetslibrary inscripts/train_sft.py. 2. Boundary markers: Absent. No delimiters are used to isolate untrusted data from the training logic. 3. Capability inventory: Executes shell commands (pip,docker,python), writes to the filesystem (outputs/), and controls environment variables. 4. Sanitization: None. Dataset content is processed directly. - [EXTERNAL_DOWNLOADS] (MEDIUM): The skill installs numerous Python packages (e.g.,
unsloth,bitsandbytes) from sources not on the predefined trusted list. It also pulls a third-party Docker image. - [COMMAND_EXECUTION] (MEDIUM): Extensive use of shell commands for environment setup, training execution, and monitoring.
- [REMOTE_CODE_EXECUTION] (MEDIUM): Pulls and executes a third-party Docker image (
unsloth/unsloth) which executes arbitrary code on the host GPU. - [CREDENTIALS_UNSAFE] (LOW): Uses hardcoded default passwords (
unsloth) for Jupyter and sudo access within the Docker environment.
Recommendations
- AI detected serious security threats
Audit Metadata