Skills
skills/davila7/claude-code-templates/torchforge-rl-training/Gen Agent Trust Hub

torchforge-rl-training

Warn

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • EXTERNAL_DOWNLOADS (MEDIUM): The documentation (api-reference.md) instructs users to download and install packages from 'github.com/meta-pytorch/torchforge' and 'github.com/meta-pytorch/monarch'. The 'meta-pytorch' organization is not included in the trusted list of GitHub organizations, making these unverifiable dependencies.
  • COMMAND_EXECUTION (LOW): The installation instructions include running local shell scripts ('./scripts/install.sh') and executing python modules ('python -m apps.sft.main'). While standard for ML projects, these represent a command execution surface.
  • PROMPT_INJECTION (LOW): The framework is designed to process external datasets (e.g., 'openai/gsm8k') for training and inference, which constitutes an indirect prompt injection surface.
  • Ingestion points: Configuration file 'config/grpo_math.yaml' references external dataset paths.
  • Boundary markers: None mentioned in the provided documentation.
  • Capability inventory: The framework performs file writes (checkpoints), network operations (fetching datasets/models), and manages multiple processes ('procs').
  • Sanitization: No sanitization or validation of dataset content is described.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 17, 2026, 05:59 PM