Back to skill

Security audit

huawei-cloud-msmodelslim-model-adapt

Security checks across malware telemetry and agentic risk

Overview

The skill fits its stated model-adapter purpose, but it repeatedly enables execution of model-supplied code without clear warning or opt-in.

Review carefully before installing. Use this only with model repositories you trust and have reviewed, preferably pinned to a known revision and run in an isolated environment without sensitive credentials. Treat trust_remote_code=True as permission for model-provided Python code to run on your machine.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares executable tools (`python3`, `bash`) and instructs users to run commands that read models, write adapters, install components, and execute verification scripts, but there is no explicit permission model describing those file and shell capabilities. This creates a trust and containment gap: a caller may invoke the skill expecting documentation-only behavior while the skill can drive filesystem changes and shell execution, increasing the risk of unintended local command execution or modification of user environments.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The script enables trust_remote_code=True when loading model configuration and instantiating a model from config, which can execute repository-provided Python code from the model path or referenced Hugging Face artifacts. In a workflow advertised as basic adapter/test-model generation, this expands the trust boundary significantly and can lead to arbitrary code execution if an untrusted model directory is supplied.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Passing --trust_remote_code True allows model repositories to execute arbitrary Python code during loading, which can lead to code execution on the host running quantization. In this skill context, users are adapting external Transformers/MSModelSlim models, so model sources may be untrusted or only partially vetted, making this broader and more dangerous than the stated adapter/verification workflow requires.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list includes very broad terms such as "adapter," "quantization," "transformers," and "LLM," which are common in ordinary ML conversations. Overbroad activation can cause the skill to engage in contexts where the user did not intend to authorize shell-assisted model manipulation, increasing the chance of unnecessary tool use, misleading workflow guidance, or accidental execution of install/verification steps.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The guide recommends setting trust_remote_code=True as a troubleshooting step without warning that this allows execution of Python code supplied by the model repository. In a skill focused on loading third-party Transformers models and adapters, users are especially likely to apply this to untrusted external model sources, which can lead to arbitrary code execution during model load.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide explicitly instructs users to run msModelSlim/Transformers with `--trust_remote_code True`, which permits execution of arbitrary Python code supplied by the model repository during loading. In a model-adaptation and quantization workflow, users are likely to test third-party or newly adapted models, so this materially increases the chance of executing unreviewed code on the host system without any warning or containment guidance.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This second command repeats the same unsafe pattern by enabling `--trust_remote_code True` for dynamic quantization, again allowing arbitrary repository-defined code to run during model loading. Because the skill is specifically about adapting new LLM/VLM models, the operational context makes this more dangerous: it normalizes unsafe execution in exactly the scenarios where model sources may be unfamiliar or untrusted.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Remote code loading is enabled without any explicit warning, consent gate, or trust validation, so a user may trigger execution of unreviewed model code while expecting only local artifact generation. In this skill context, that is especially risky because the tool appears intended for adapter and quantization workflow preparation rather than executing arbitrary model-defined code.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.