soma
Fail
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides instructions for installing its CLI tool via a piped-to-shell command (
curl -fsSL https://sup.soma.org | bash). The source domain is owned and managed by the skill's author, soma-org. - [EXTERNAL_DOWNLOADS]: The skill downloads various dependencies, datasets, and model weights from external sources, including GitHub, HuggingFace, and Cloudflare R2 storage. These resources are retrieved from well-known services or vendor-managed endpoints necessary for the SOMA network operations.
- [CREDENTIALS_UNSAFE]: Instructions direct users to manage a local
.envfile containing sensitive SOMA wallet secret keys, HuggingFace tokens, and S3-compatible storage API keys. These credentials are used locally to interact with the decentralized network and cloud storage. - [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it is designed to ingest and process untrusted data from public sources (such as The Stack v2 and FineWeb-Edu) for training and scoring purposes. * Ingestion points: Data is retrieved from external providers in
src/quickstart/submitter.pyandsrc/quickstart/training.py. * Boundary markers: The skill processes raw byte data for its transformer model without utilizing boundary markers or explicit safety instructions to isolate the data from the agent's logic. * Capability inventory: The skill has capabilities for network operations viaaiohttpandboto3, file system access, and command-line execution through thesomaCLI. * Sanitization: While the skill applies filtering for data size and relevance, it does not perform content-based sanitization of the datasets to prevent the execution of embedded instructions.
Recommendations
- HIGH: Downloads and executes remote code from: https://sup.soma.org - DO NOT USE without thorough review
Audit Metadata