vast-gpu
Pass
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes multiple shell commands using the
vastaiCLI and standard Unix tools likessh,scp, andrsync. These commands are used to manage the lifecycle of GPU instances, including provisioning, configuration, and destruction. - [REMOTE_CODE_EXECUTION]: The skill is designed to execute commands on remote GPU instances over SSH (e.g.,
ssh -p <PORT> root@<HOST> "pip install ..."). While these are the user's rented instances, the commands are generated based on the agent's analysis of project files. - [INDIRECT_PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting and processing untrusted data to determine its actions.
- Ingestion points: Reads
refine-logs/EXPERIMENT_PLAN.md, experiment scripts (.py,.yaml), and user-provided task descriptions to determine hardware requirements and setup commands. - Boundary markers: The instructions do not specify any boundary markers or delimiters to isolate data from instructions when parsing project files.
- Capability inventory: The skill has broad capabilities including full
Bash(*)access, remote command execution viassh, and financial operations (renting instances) via thevastaiCLI. - Sanitization: There is no explicit evidence of sanitization or validation of the content extracted from experiment plans or scripts before it is used to construct shell commands or influence provisioning decisions.
- [DATA_EXPOSURE]: The skill manages authentication via
vastai set api-keyand stores instance metadata (including SSH connection strings) in a localvast-instances.jsonfile. While standard for this workflow, these are sensitive assets.
Audit Metadata