tracking-model-versions
Pass
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill represents a surface for indirect prompt injection as it ingests untrusted metadata from model registries and external experiments.
- Ingestion points: Model metadata, parameters, and run notes retrieved from MLflow or other tracking servers.
- Boundary markers: Absent; the instructions do not specify delimiters for data interpolated into model card templates.
- Capability inventory: The agent has access to
Bash(cmd:*),Write, andEdittools, allowing it to execute commands or modify files based on instructions potentially embedded in metadata. - Sanitization: No sanitization or validation of the ingested strings is performed before they are used to generate Markdown documentation.
- [COMMAND_EXECUTION]: The skill instructions direct the agent to execute shell commands for experiment management and to start network-accessible services, such as an MLflow tracking server (
mlflow server --host 0.0.0.0). - [EXTERNAL_DOWNLOADS]: The skill documentation references the installation of common Python packages (
mlflow,pandas) and interactions with established cloud service providers (AWS S3 and Google GCS) for artifact storage. - [NO_CODE]: The file
scripts/version_control.shis misleadingly named and described. While its metadata claims it is a Bash script for Git/VCS automation, it actually contains Python code that performs basic file size auditing and JSON validation.
Audit Metadata