The Agent Skills Directory

REMOTE_CODE_EXECUTION (HIGH): The 'entrypoint.sh' script executes the vLLM server with the '--trust-remote-code' flag. This parameter permits the execution of arbitrary Python code included in the model files downloaded from the hub. If the 'RERANK_MODEL_NAME' environment variable is pointed to a malicious repository, it can lead to full system compromise.\n- DATA_EXFILTRATION (HIGH): The 'client.py' file uses 'Path(file).parent.parent.parent / ".env"' to load environment variables. This directory traversal pattern attempts to read sensitive '.env' files from the parent project structure, which may contain credentials or secrets unintended for the skill's scope.\n- COMMAND_EXECUTION (MEDIUM): The 'entrypoint.sh' script invokes 'python3 -m vllm.entrypoints.openai.api_server' with several configurable parameters. While the server itself is a known tool, the lack of restriction on model sources combined with code execution flags makes this a dangerous command line operation.\n- EXTERNAL_DOWNLOADS (LOW): The 'Dockerfile' sets 'HF_ENDPOINT' to 'hf-mirror.com' and enables 'USE_MODELSCOPE_HUB'. These configurations facilitate the download of model weights and code from external sources which, in this context, are executed with trust.\n- PROMPT_INJECTION (LOW): (Category 8) The skill exposes an ingestion surface for untrusted text in 'client.py' through the 'query' and 'documents' arguments.\n
Ingestion points: Document list and query strings in 'RerankServiceClient.rerank'.\n
Boundary markers: None; content is passed directly to the model API.\n
Capability inventory: The backend server has 'trust-remote-code' enabled, though reranker models typically have limited generative capabilities.\n
Sanitization: No sanitization or escaping of input data is performed before processing.

rerank-service