kernelgen-flagos

No explicit malicious behaviors (exfiltration, credential theft, backdoor installation, cryptomining) are shown in the provided fragment because it is a high-level pipeline description. However, it performs high-impact supply-chain actions: it may auto-install dependencies (including editable install of the repo) and it sends existing operator code to an MCP service and directly writes MCP-returned code back into FlagGems operator sources that will be executed by pytest. Without integrity checks/sandboxing/allowlisting of MCP output, this creates a plausible avenue for sabotage via compromised MCP service or returned code. Recommend reviewing the MCP transport/authentication, add code signing/integrity checks for generated code, and implement strict validation/sandboxing before writing and executing modified operators.

SUSPICIOUS: the visible skill is broadly aligned with GPU kernel generation, but its actual footprint depends on unseen sub-skills and a mandatory third-party MCP service. The strongest concern is data-flow integrity: the documented KernelGen MCP uses plain HTTP, so repository context may be exposed in transit. No confirmed malware or overt credential theft is visible in this file alone, but the external mandatory service and incomplete local sub-skill visibility make this a medium-risk skill.