Skills
skills/pjt222/development-guides/deploy-ml-model-serving/Gen Agent Trust Hub

deploy-ml-model-serving

Warn

Audited by Gen Agent Trust Hub on Feb 27, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The canary_rollout.py script utilizes subprocess.run(shell=True) combined with f-string interpolation to construct and execute kubectl patch commands. This pattern is susceptible to command injection if the input parameters (such as traffic percentages) were ever derived from untrusted external data.
  • [REMOTE_CODE_EXECUTION]: Multiple components, including bentoml_service.py and seldon_wrapper.py, use mlflow.sklearn.load_model(). This function performs deserialization using the Python pickle module. If an attacker compromises the model registry or the artifact storage (e.g., S3), they could inject a malicious model that executes arbitrary code when the serving infrastructure loads it.
  • [EXTERNAL_DOWNLOADS]: The skill fetches infrastructure configurations and deployment charts from external repositories. Specifically, it downloads the Kubernetes Metrics Server manifest from the official kubernetes-sigs GitHub repository and installs the Seldon Core operator using a Helm chart hosted on Google Cloud Storage. These are well-known, reputable sources within the cloud-native ecosystem.
  • [PROMPT_INJECTION]: A review of the instructional text and metadata found no attempts to override agent behavior, bypass safety filters, or extract system instructions.
  • [CREDENTIALS_UNSAFE]: The configuration templates, such as docker-compose.mlflow-serving.yml, correctly use environment variable placeholders (e.g., ${AWS_ACCESS_KEY_ID}) instead of hardcoding sensitive credentials.
  • [DATA_EXPOSURE]: The skill includes an assessment of its own attack surface regarding data ingestion. The model serving endpoints in bentoml_service.py and seldon_wrapper.py process untrusted JSON request data.
  • Ingestion points: Data enters via the predict and predict_raw methods in the service wrappers.
  • Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the data processing logic.
  • Capability inventory: The environment includes capabilities for shell execution (subprocess.run), network requests (requests), and dynamic model loading (mlflow.load_model).
  • Sanitization: The provided templates perform basic conversion to DataFrames but do not demonstrate explicit sanitization or validation of the input data fields.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 27, 2026, 10:51 PM