modal
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADS
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The documentation includes multiple examples of executing arbitrary shell commands via
modal.Image.run_commands()andsubprocess. A particularly high-risk example inreferences/web-endpoints.mddemonstrates how to serve the entire root directory (/) of a container usingpython -m http.server, which would result in full filesystem exposure. - CREDENTIALS_UNSAFE (MEDIUM): In
references/images.md, the documentation provides an example of mounting a local AWS credentials directory (/user/erikbern/.aws) into a container image. If an agent copies this pattern, it could lead to the unintentional exfiltration or exposure of sensitive cloud credentials. - EXTERNAL_DOWNLOADS (MEDIUM): The skill documentation encourages downloading code and models from various external sources. It specifically references cloning repositories from
github.com/modal-labs, which is not on the trusted sources list. It also provides examples of pulling container images from unverified Docker registry users (e.g.,huanjason/scikit-learn). - INDIRECT_PROMPT_INJECTION (MEDIUM): The skill provides numerous templates for web endpoints and data processing pipelines that ingest external data (JSON, CSV, S3 objects).
- Ingestion points:
references/web-endpoints.md(FastAPI/Flask routes) andreferences/examples.md(S3/CSV ingestion). - Boundary markers: Absent; code snippets do not demonstrate use of delimiters or 'ignore' instructions for untrusted data.
- Capability inventory: Includes high-impact operations like file system writes, shell command execution, and remote compute spawning.
- Sanitization: Absent; the documentation lacks examples of input validation or sanitization, increasing the likelihood that generated code will be vulnerable to injection.
Audit Metadata