nemo-evaluator-sdk

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt includes examples that embed API keys/passwords verbatim in shell and code snippets (e.g., export NGC_API_KEY=nvapi-your-key-here and api_key="nvapi-your-key-here"), which instructs an agent to insert secret values directly into generated outputs.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). I flagged nvcr.io/nvidia/eval-factory/ because the skill's local/Slurm executors explicitly pull NGC container images at runtime (docker run/pull), which fetch and execute remote code that the evaluation relies on.