llava
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- Unverifiable Dependencies & Remote Code Execution (HIGH): The skill instructs the user to clone the repository https://github.com/haotian-liu/LLaVA. Since this organization is not in the trusted sources list, this represents a significant supply chain risk.
- Unverifiable Dependencies & Remote Code Execution (HIGH): The skill performs pip install -e . on the downloaded content and executes various shell scripts (scripts/v1_5/pretrain.sh, scripts/v1_5/finetune.sh) from the untrusted repository. This allows for arbitrary command execution from an external source.
- Unverifiable Dependencies & Remote Code Execution (LOW): The skill downloads model weights from Hugging Face (liuhaotian/llava-v1.5-7b). While Hugging Face is a trusted source, loading third-party model weights remains a potential vector for code execution.
- Indirect Prompt Injection (LOW): As a vision-language model, the skill is susceptible to indirect prompt injection via image content. 1. Ingestion points: Processes images (image.jpg) and user text in SKILL.md. 2. Boundary markers: Absent; the prompt structure does not isolate image-derived tokens from instructions. 3. Capability inventory: Includes CLI and shell script execution for training and serving. 4. Sanitization: No specific input validation or sanitization is mentioned.
Recommendations
- AI detected serious security threats
Audit Metadata