model-serving
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Dynamic Execution (MEDIUM): The calculate tool in 4-tools-integration.md uses eval() to process expressions. Although it attempts to sandbox the execution by restricting builtins and using a whitelist of math functions, eval() remains a high-risk function prone to sandbox escape techniques.
- Dynamic Execution (MEDIUM): The custom model pattern in 2-custom-pyfunc.md utilizes pickle.load() to deserialize model artifacts and preprocessors. Deserializing untrusted pickle data can lead to arbitrary code execution.
- Command Execution (LOW): The skill employs execute_databricks_command and run_python_file_on_databricks to perform administrative and testing tasks on remote clusters. These operations are core to the skill's purpose of managing Model Serving on the Databricks platform.
- Indirect Prompt Injection (LOW): The agent patterns in 3-genai-agents.md and 5-development-testing.md create a surface for indirect prompt injection by processing raw user input. 1. Ingestion points: ResponsesAgentRequest input in agent.py and test_agent.py (File: 3-genai-agents.md, 5-development-testing.md). 2. Boundary markers: No explicit delimiters or instructions to ignore embedded commands are used in the prompt construction. 3. Capability inventory: The agents are equipped with tools for SQL/Python function execution (UCFunctionToolkit), vector search, and a built-in Python interpreter (system.ai.python_exec). 4. Sanitization: No input validation or sanitization logic is provided in the reference code.
Audit Metadata