nemo-evaluator-sdk

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt contains examples that embed API keys directly (e.g., export NGC_API_KEY=nvapi-your-key-here and the Python snippet ApiEndpoint.api_key="nvapi-your-key-here"), which encourages placing secrets verbatim in code/commands and therefore requires the LLM to handle/output secret values.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The launcher explicitly pulls and runs evaluation containers at runtime (e.g., nvcr.io/nvidia/eval-factory/ and user images like my-registry/custom-eval:1.0), which are fetched from external registries and will execute remote code when run, so these registry URLs are a runtime dependency that can execute external code.