mlflow
Warn
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The documentation includes example commands for starting a tracking server that utilize a plaintext backend storage URI containing credentials (e.g.,
postgresql://user:password@localhost/mlflow), which can lead to sensitive information being captured in shell history or process logs. - [REMOTE_CODE_EXECUTION]: The skill makes extensive use of
mlflow.pyfunc.load_model()and other loading functions that typically rely on Python'spickleserialization format. Loading models from untrusted or remote locations creates a significant risk of arbitrary code execution during the deserialization process. - [COMMAND_EXECUTION]: The skill instructs the agent to perform several high-privilege shell operations, including starting servers (
mlflow server), serving models (mlflow models serve), managing containers (docker run), and orchestrating cluster deployments (kubectl apply). It also usessubprocess.check_outputto interact with the local git environment. - [DATA_EXFILTRATION]: The skill facilitates the transfer of data, configurations, and model artifacts to remote destinations, including AWS SageMaker, Azure ML, and external S3 buckets.
- [PROMPT_INJECTION]: The skill provides an indirect prompt injection surface through its reliance on external model URIs and artifacts:
- Ingestion points:
model_uriparameters inmlflow.pyfunc.load_model()and related functions across all reference files. - Boundary markers: Absent; the skill does not include delimiters or instructions to ignore embedded commands in loaded data.
- Capability inventory: Wide-ranging shell execution capabilities including
docker,kubectl, andmlflowCLI tools, as well as Pythonsubprocessaccess. - Sanitization: Absent; there is no evidence of provenance verification or integrity checking for models before they are loaded and executed.
Audit Metadata