stable-baselines3
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Unverifiable Dependencies] (MEDIUM): The skill specifies the installation of 'stable-baselines3' and 'gymnasium' via pip. Neither these packages nor their primary maintainers are included in the 'Trusted GitHub Organizations' list defined in the security scope.\n- [Dynamic Execution] (MEDIUM): The scripts evaluate_agent.py and train_rl_agent.py utilize 'PPO.load()' and 'VecNormalize.load()'. Stable Baselines 3 uses pickle-based serialization for hyperparameters and normalization statistics. Loading these files from untrusted sources is a known vector for arbitrary code execution.\n- [Indirect Prompt Injection] (MEDIUM): The skill establishes an attack surface where untrusted file paths and environment IDs are processed by functions with high-privilege capabilities (file execution and subprocess spawning).\n
- Ingestion points: 'model_path', 'vec_normalize_path', and 'env_id' parameters in script templates.\n
- Boundary markers: Absent from the templates.\n
- Capability inventory: 'PPO.load' (code execution via pickle), 'SubprocVecEnv' (subprocess spawning), 'os.makedirs' (file system write).\n
- Sanitization: No validation or sanitization of input paths or environment IDs is performed.\n- [Command Execution] (LOW): The 'train_rl_agent.py' script uses 'SubprocVecEnv' to spawn multiple Python processes for parallel training. This is a standard reinforcement learning practice but increases the host system's process management surface.
Audit Metadata