Skills
skills/datadrivenconstruction/ddc_skills_for_ai_agents_in_construction/ml-model-retrainer/Gen Agent Trust Hub

ml-model-retrainer

Warn

Audited by Gen Agent Trust Hub on Mar 5, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill utilizes the Python 'pickle' module to restore model states, which is inherently insecure.
  • Evidence: The load_model method in SKILL.md accepts a file path and performs pickle.load(f) on the file's contents. Deserializing untrusted data with pickle can result in arbitrary code execution on the host system.
  • [COMMAND_EXECUTION]: The skill performs file system operations using paths that are not properly validated or sandboxed.
  • Evidence: The save_model and load_model methods in SKILL.md use an externally provided path parameter directly in open(path, ...) calls. Without path sanitization, this could allow for path traversal or unauthorized access to system files.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection via the processing of untrusted data files.
  • Ingestion points: The skill processes user-provided project data in Excel, CSV, and JSON formats as described in instructions.md.
  • Boundary markers: No delimiters or specific instructions are implemented to prevent the agent from interpreting content within these data files as instructions.
  • Capability inventory: The skill has the ability to write to the filesystem and execute code via the pickle vulnerability identified in SKILL.md.
  • Sanitization: No data validation or sanitization is performed on the fields of the ingested data files before they enter the agent's context.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 5, 2026, 04:29 AM