Skip to content

Commit d0861ba

Browse files
committed
Address false positives
1 parent 2ab0bef commit d0861ba

1 file changed

Lines changed: 64 additions & 0 deletions

File tree

.github/skillspector-allow.yml

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -135,3 +135,67 @@ suppressions:
135135
and `curl http://localhost:8000/... | python3 -m json.tool` pipes a
136136
localhost API response into a JSON pretty-printer. There is no
137137
download-and-execute of a remote script (no `curl ... | bash`/`sh`).
138+
- skill: serving-llms-on-instinct
139+
rule: P6
140+
file: data/recipes_cache.json
141+
match: Direct Prompt Extraction
142+
reason: >-
143+
False positive. The flag is on a `"guide"` markdown string (the
144+
Ministral-3-Instruct recipe doc, not runnable code). The matched Python
145+
example downloads the model's own publicly published `SYSTEM_PROMPT.txt`
146+
via `hf_hub_download` and passes it as the `system` role of a chat request
147+
(Mistral's documented setup) — it constructs a prompt, it does not reveal
148+
or extract any hidden system prompt. The only output printed is the
149+
model's answer (`response.choices[0].message.content`). The trigger is
150+
merely the literal token `SYSTEM_PROMPT` in benign example code.
151+
- skill: serving-llms-on-instinct
152+
rule: TM2
153+
file: reference.md
154+
match: Chaining Abuse
155+
reason: >-
156+
False positive. Line 92 is a Troubleshooting one-liner that disables
157+
kernel NUMA balancing for GPU workloads:
158+
`echo 0 | sudo tee /proc/sys/kernel/numa_balancing`. The `|` is just the
159+
idiomatic way to write a root-owned /proc file (echo piped into `sudo
160+
tee`), not multi-step tool/command chaining of untrusted or model-derived
161+
steps. It is a single fixed, reviewable, human-run sysctl write — no LLM
162+
output feeds the pipe and there is no chain depth to bound.
163+
- skill: serving-llms-on-instinct
164+
rule: TM1
165+
file: scripts/detect.py
166+
match: Tool Parameter Abuse
167+
reason: >-
168+
False positive. Line 32 uses `subprocess.run(cmd, shell=True, ...)`, but
169+
`shell=True` is intentional and safe here: every `cmd` passed to `_run`
170+
is a fixed in-script literal (`amd-smi static --asic --vram --json`,
171+
`amd-smi version --json`, and their `sudo` retries) that relies on no
172+
shell metacharacters from user input. The only user-controlled values
173+
(`--host`/`--user`/`--port`) never enter the shell string — they flow
174+
solely into the SSH branch as list-form argv (`ssh ... ssh_target cmd`,
175+
no shell), and `port` is int-coerced by argparse. No untrusted or model
176+
output reaches the shell, so there is no parameter abuse to reject.
177+
- skill: serving-llms-on-instinct
178+
rule: TM1
179+
file: scripts/validate.py
180+
match: Tool Parameter Abuse
181+
reason: >-
182+
False positive. Same `_run` helper as detect.py: line 33 uses
183+
`subprocess.run(cmd, shell=True, ...)` where every `cmd` is a hardcoded
184+
diagnostic literal (`test -e /dev/kfd ...`, `ls /dev/dri/renderD* ...`,
185+
`cat /proc/sys/kernel/numa_balancing ...`, `printenv HF_TOKEN ...`, etc.)
186+
that deliberately uses shell pipes/redirects/globs. The dynamic inputs
187+
(`--host`/`--user`/`--port`) only reach the SSH branch as list-form argv,
188+
never the shell string, and `port` is int-coerced. No untrusted/model
189+
output is interpolated into the command.
190+
- skill: serving-llms-on-instinct
191+
rule: TM2
192+
file: scripts/validate.py
193+
match: Chaining Abuse
194+
reason: >-
195+
False positive. The flagged lines are the NUMA-balancing fix
196+
`echo 0 | sudo tee /proc/sys/kernel/numa_balancing`. Line 122 only runs
197+
it under the explicit opt-in `--auto-fix` flag (user-approved), while
198+
lines 130 and 137 are human-readable `"fix"` advisory strings that are
199+
never executed. The `|` is the idiomatic root-owned /proc write (echo
200+
into `sudo tee`), a single fixed sysctl command — not multi-step tool
201+
chaining of untrusted or model-derived steps.

0 commit comments

Comments
 (0)