@@ -135,3 +135,67 @@ suppressions:
135135 and `curl http://localhost:8000/... | python3 -m json.tool` pipes a
136136 localhost API response into a JSON pretty-printer. There is no
137137 download-and-execute of a remote script (no `curl ... | bash`/`sh`).
138+ - skill : serving-llms-on-instinct
139+ rule : P6
140+ file : data/recipes_cache.json
141+ match : Direct Prompt Extraction
142+ reason : >-
143+ False positive. The flag is on a `"guide"` markdown string (the
144+ Ministral-3-Instruct recipe doc, not runnable code). The matched Python
145+ example downloads the model's own publicly published `SYSTEM_PROMPT.txt`
146+ via `hf_hub_download` and passes it as the `system` role of a chat request
147+ (Mistral's documented setup) — it constructs a prompt, it does not reveal
148+ or extract any hidden system prompt. The only output printed is the
149+ model's answer (`response.choices[0].message.content`). The trigger is
150+ merely the literal token `SYSTEM_PROMPT` in benign example code.
151+ - skill : serving-llms-on-instinct
152+ rule : TM2
153+ file : reference.md
154+ match : Chaining Abuse
155+ reason : >-
156+ False positive. Line 92 is a Troubleshooting one-liner that disables
157+ kernel NUMA balancing for GPU workloads:
158+ `echo 0 | sudo tee /proc/sys/kernel/numa_balancing`. The `|` is just the
159+ idiomatic way to write a root-owned /proc file (echo piped into `sudo
160+ tee`), not multi-step tool/command chaining of untrusted or model-derived
161+ steps. It is a single fixed, reviewable, human-run sysctl write — no LLM
162+ output feeds the pipe and there is no chain depth to bound.
163+ - skill : serving-llms-on-instinct
164+ rule : TM1
165+ file : scripts/detect.py
166+ match : Tool Parameter Abuse
167+ reason : >-
168+ False positive. Line 32 uses `subprocess.run(cmd, shell=True, ...)`, but
169+ `shell=True` is intentional and safe here: every `cmd` passed to `_run`
170+ is a fixed in-script literal (`amd-smi static --asic --vram --json`,
171+ `amd-smi version --json`, and their `sudo` retries) that relies on no
172+ shell metacharacters from user input. The only user-controlled values
173+ (`--host`/`--user`/`--port`) never enter the shell string — they flow
174+ solely into the SSH branch as list-form argv (`ssh ... ssh_target cmd`,
175+ no shell), and `port` is int-coerced by argparse. No untrusted or model
176+ output reaches the shell, so there is no parameter abuse to reject.
177+ - skill : serving-llms-on-instinct
178+ rule : TM1
179+ file : scripts/validate.py
180+ match : Tool Parameter Abuse
181+ reason : >-
182+ False positive. Same `_run` helper as detect.py: line 33 uses
183+ `subprocess.run(cmd, shell=True, ...)` where every `cmd` is a hardcoded
184+ diagnostic literal (`test -e /dev/kfd ...`, `ls /dev/dri/renderD* ...`,
185+ `cat /proc/sys/kernel/numa_balancing ...`, `printenv HF_TOKEN ...`, etc.)
186+ that deliberately uses shell pipes/redirects/globs. The dynamic inputs
187+ (`--host`/`--user`/`--port`) only reach the SSH branch as list-form argv,
188+ never the shell string, and `port` is int-coerced. No untrusted/model
189+ output is interpolated into the command.
190+ - skill : serving-llms-on-instinct
191+ rule : TM2
192+ file : scripts/validate.py
193+ match : Chaining Abuse
194+ reason : >-
195+ False positive. The flagged lines are the NUMA-balancing fix
196+ `echo 0 | sudo tee /proc/sys/kernel/numa_balancing`. Line 122 only runs
197+ it under the explicit opt-in `--auto-fix` flag (user-approved), while
198+ lines 130 and 137 are human-readable `"fix"` advisory strings that are
199+ never executed. The `|` is the idiomatic root-owned /proc write (echo
200+ into `sudo tee`), a single fixed sysctl command — not multi-step tool
201+ chaining of untrusted or model-derived steps.
0 commit comments