distributed-llm-pretraining-torchtitan

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt instructs users to pass a Hugging Face token directly on the command line (e.g., --hf_token=... / --hf_token=YOUR_HF_TOKEN), which requires embedding secret values verbatim in generated commands and thus creates an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The SKILL.md explicitly instructs runtime downloads from public third‑party sources (e.g., "Step 1: Download tokenizer" invoking scripts/download_hf_assets.py to fetch assets from the HuggingFace hub and the README and references/checkpoint.md show loading/converting HuggingFace checkpoints and cloning GitHub), so the skill clearly ingests untrusted, user‑hosted web content as part of required workflows which could materially alter subsequent tooling or behavior.