databricks-model-serving
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill uses MCP tools like
execute_databricks_commandandrun_python_file_on_databricksto perform administrative tasks and test models on Databricks clusters. These operations are core to the skill's purpose of managing remote ML infrastructure. - [EXTERNAL_DOWNLOADS]: The documentation guides users to install widely-used Python libraries from standard registries, including
mlflow,langgraph, anddatabricks-langchain. These downloads originate from trusted/well-known organizations aligned with the vendor. - [DYNAMIC_EXECUTION]: A code example in
4-tools-integration.mdprovides a custom tool usingeval()for mathematical expressions. The implementation follows a common pattern of using a restricted environment by stripping__builtins__and only allowing specificmathfunctions. - [INDIRECT_PROMPT_INJECTION]: The skill describes an architecture where AI agents process untrusted input from the
query_serving_endpointtool. - Ingestion points: User messages enter via
ResponsesAgentRequestinagent.pyand query tools. - Boundary markers: The provided templates do not include explicit system-level delimiters, though they use structured request objects.
- Capability inventory: The agents can potentially call tools like
system.ai.python_execand manipulate workspace resources via other MCP tools. - Sanitization: Standard model-serving guardrails are assumed; no custom sanitization logic is explicitly included in the templates.
Audit Metadata