Skills
skills/jeremylongshore/claude-code-plugins-plus-skills/hyperparameter-tuner/Gen Agent Trust Hub

hyperparameter-tuner

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION] (HIGH): The skill is granted Bash(python:*) permissions. Hyperparameter tuning typically requires executing training scripts to evaluate performance metrics; this permission allows the agent to run arbitrary Python code in the environment.- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill is granted Bash(pip:*) permissions. This allows the agent to install any package from the Python Package Index (PyPI). Without a whitelist of approved packages, an attacker could use this to install malicious libraries or tools for further exploitation.- [REMOTE_CODE_EXECUTION] (HIGH): Category 8 (Indirect Prompt Injection) vulnerability.
  • Ingestion points: The skill processes user-provided ML training code, patterns, and configurations for tuning (SKILL.md).
  • Boundary markers: None identified. The skill does not define boundaries for user-supplied code or provide instructions to ignore embedded commands.
  • Capability inventory: Bash(python:*), Bash(pip:*), Write, and Edit tools are permitted.
  • Sanitization: No sanitization or validation logic is specified to check the safety of the training code before execution.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 06:41 AM