Low-Resource AI Researcher

Security checks across malware telemetry and agentic risk

Overview

This looks like a real medical model-training skill, but it needs review because it can trust remote model code and uses broad unpinned ML dependencies.

Install only in an isolated environment, pin and review dependency versions, and use trusted model and dataset repositories. Disable `trust_remote_code` unless you intentionally need it for a vetted model. Do not train on identifiable patient data unless you have authorization and controls for datasets, logs, checkpoints, and generated outputs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (13)

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: Enabling trust_remote_code allows model and tokenizer repositories to supply and execute arbitrary Python code during from_pretrained() calls. In a training tool that accepts configurable model names and may pull assets from remote hubs, this creates a direct code-execution path that can compromise the host, steal credentials or data, or tamper with training outputs.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill is explicitly designed for medical-domain fine-tuning and references datasets such as MIMIC-III and clinical notes, yet its documentation only gives a generic compliance note and does not provide concrete safeguards for handling PHI/PII in datasets, checkpoints, logs, or generated outputs. In this context, insufficient privacy guidance can lead users to train on sensitive medical data and persist artifacts that leak patient information through model memorization, logs, or saved outputs.

Unpinned Dependencies

Low

Category: Supply Chain
Content: accelerate dataclasses datasets flash_attn
Confidence: 95% confidence
Finding: accelerate

Unpinned Dependencies

Low

Category: Supply Chain
Content: accelerate dataclasses datasets flash_attn peft
Confidence: 84% confidence
Finding: dataclasses

Unpinned Dependencies

Low

Category: Supply Chain
Content: accelerate dataclasses datasets flash_attn peft skills
Confidence: 95% confidence
Finding: datasets

Unpinned Dependencies

Low

Category: Supply Chain
Content: accelerate dataclasses datasets flash_attn peft skills torch
Confidence: 99% confidence
Finding: flash_attn

Unpinned Dependencies

Low

Category: Supply Chain
Content: dataclasses datasets flash_attn peft skills torch transformers
Confidence: 93% confidence
Finding: peft

Unpinned Dependencies

Low

Category: Supply Chain
Content: datasets flash_attn peft skills torch transformers
Confidence: 97% confidence
Finding: skills

Unpinned Dependencies

Low

Category: Supply Chain
Content: flash_attn peft skills torch transformers
Confidence: 99% confidence
Finding: torch

Unpinned Dependencies

Low

Category: Supply Chain
Content: peft skills torch transformers
Confidence: 99% confidence
Finding: transformers

Known Vulnerable Dependency: flash_attn — 1 advisory(ies): CVE-2026-31253 (flash-attention contains an insecure deserialization vulnerability in its checkp)

High

Category: Supply Chain
Confidence: 92% confidence
Finding: flash_attn

Known Vulnerable Dependency: torch — 10 advisory(ies): CVE-2025-2953 (PyTorch susceptible to local Denial of Service); CVE-2022-45907 (PyTorch vulnerable to arbitrary code execution); CVE-2025-32434 (PyTorch: `torch.load` with `weights_only=True` leads to remote code execution) +7 more

Critical

Category: Supply Chain
Confidence: 97% confidence
Finding: torch

Known Vulnerable Dependency: transformers — 10 advisory(ies): CVE-2023-2800 (transformers has Insecure Temporary File); CVE-2025-3933 (Transformers is vulnerable to ReDoS attack through its DonutProcessor class); CVE-2024-3568 (Transformers Deserialization of Untrusted Data vulnerability) +7 more

Critical

Category: Supply Chain
Confidence: 97% confidence
Finding: transformers

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal