Back to skill

Security audit

baml-codegen

Security checks across malware telemetry and agentic risk

Overview

This is a coherent BAML code-generation reference skill, with expected cautions around generated code, local formatting hooks, and sensitive data sent to LLM providers.

Install this if you want help generating BAML project files. Review generated diffs before running or committing them, inspect any on_generate hook before baml-cli generate, use trusted MCP servers, and avoid processing sensitive or regulated data through external model providers unless consent, redaction, and provider controls are in place.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (12)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
These examples show sending resumes, documents, images, audio, and other user-supplied content to third-party LLM providers such as OpenAI, but they do not include any warning about external data transmission, retention, or privacy implications. In a codegen/reference skill, users may copy these patterns directly into production and unintentionally transmit sensitive data without informed consent or appropriate controls.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The receipt-analysis example shows an upload endpoint that forwards user-provided receipt images and extracted purchase data to an external LLM service, but it does not disclose that third-party processing occurs. This can lead developers to deploy privacy-sensitive workflows without notice, consent, or data-handling safeguards for potentially sensitive financial information.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The invoice-extraction example passes invoice text directly to an OpenAI-backed client but does not warn that invoice contents may leave the application boundary and be processed by a third party. Invoices commonly contain names, addresses, account details, and business-sensitive information, so omission of this warning can cause accidental privacy and compliance exposure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The RAG example sends provided documents and retrieved passages to an external LLM for answer generation, yet the example does not disclose that potentially confidential source material will be shared outside the system. This is dangerous because developers may use internal knowledge bases, contracts, or proprietary documents without realizing the privacy and confidentiality implications.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation recommends use of the `on_generate` hook to automatically execute shell commands after code generation, but it does not warn that these commands run on the developer's machine and may have side effects. In a codegen skill, this is security-relevant because users may copy patterns into trusted build workflows, and later execute modified or unreviewed commands sourced from generated config or examples.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The example sends user-provided content to `openai/gpt-4o` for extraction/classification without any privacy or data-handling warning. In a skill specifically designed to help users build LLM workflows, omission of a disclosure about external transmission of potentially sensitive text can lead to accidental exposure of resumes, product data, or other confidential inputs.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation shows image inputs from remote URLs and local file URIs being passed directly into BAML calls, but it does not warn that these inputs may be uploaded to third-party LLM providers for inference. In a code-generation skill, this omission can lead users to unintentionally transmit sensitive local files or regulated image data outside their trust boundary.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The ClientRegistry example encourages runtime client selection and remote extraction using API keys, but it lacks a warning that requests and supplied data may be routed to different external providers at runtime. This increases the chance of accidental data disclosure, policy violations, or use of unapproved models in environments with strict data-handling requirements.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The environment variable section demonstrates how to supply API keys and rely on automatic environment loading, but it does not include secure-handling guidance. Users may infer that storing secrets in plain .env files is sufficient without considering file permissions, secret managers, accidental commits, or key rotation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example directly sends raw user-provided text to a named remote model API (`openai/gpt-4o`) without any disclosure that the content leaves the local environment. Because the documented use cases include sensitive domains like contracts and medical records, users may unknowingly transmit regulated or confidential data to an external provider.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The vision example accepts an `image` input and sends it to a remote model API without warning that the uploaded image is transmitted off-system. Images often contain highly sensitive content such as faces, IDs, screenshots, documents, or embedded text, so omission of this disclosure increases the risk of accidental privacy and compliance violations.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The examples encourage sending receipts, invoices, resumes, and conversational form data to external multimodal LLM services, which commonly contain sensitive personal, financial, or employment information. Without any warning about data classification, consent, redaction, retention, or vendor handling, users may unknowingly transmit regulated or confidential data to third parties.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.