! Security: Review · 75 75/100 · grade B scanned 15h ago
✓ no compromise signals 15 risk-surface · 10/20 OWASP controls flagged
Compromise signals — malicious or tampered code (leaked secrets, backdoors, a dropped executable) — reduce the score, and known dependency CVEs carry a bounded penalty (they warrant review but never QUARANTINE — update the dependency to clear). Other dangerous-by-capability traits are risk surface , expected for some capabilities. Every finding is mapped to its OWASP control below.
What this capability can do · high confidence (static)
Tools (4)
get_the_value_of_schleeb write_a_goose_horror_story inspect_this_server hello_world
⚑ filesystem ⚑ shell ⚑ network ⚑ secrets
egress → docs.github.com, pypi.org, ai.pydantic.dev, controlflow.ai, mintlify.com, platform.openai.com, discord.gg, communityinviter.com +31
36 steps ⚑ uses secrets actions/checkout@v4 google-github-actions/auth@v2 google-github-actions/deploy-cloudrun@v2 docs.github.com actions/labeler@v5 astral-sh/setup-uv@v3 astral-sh/setup-uv@v5 github.com
Findings mapped to the OWASP Top 10 for LLM Applications (2025) and the OWASP Machine Learning Security Top 10 . Expand any flagged control for the exact findings — compromise reduces the score; expected /risk-surface do not.
OWASP Top 10 for LLM Applications
⚠ LLM03 Supply Chain critical Vulnerable/compromised dependencies, models or archives in the artifact.
• Vulnerable dependencies — 159 known vulnerabilities in: aiohttp@3.13.1, authlib@1.6.5, chromadb@1.2.1, cryptography@45.0.7, diskcache@5.6.3, fastmcp@3.0.0b2.dev20+b77484e1, filelock@3.20.0, gitpython@3.1.45 (CWE-1395)known CVE · -25 pts
⚠ LLM01 Prompt Injection high Adversarial instructions embedded in an artifact that hijack a downstream LLM.
• Prompt-injection phrasing — instruction-subversion language detected · PrefectHQ-marvin-7c3e20a/src/marvin/templates/system.jinja (CWE-77)expected
⚠ LLM02 Sensitive Information Disclosure high Secrets, credentials or PII shipped inside the artifact.
• Embedded credentials — found: DB connection string with credentials · PrefectHQ-marvin-7c3e20a/docs/patterns/memory.mdx (CWE-798)expected
• Embedded credentials — found: hardcoded credential · PrefectHQ-marvin-7c3e20a/docs/patterns/task-results.mdx (CWE-798)expected
⚠ LLM05 Improper Output Handling high Code that pipes model/user output into shell, eval, SQL or paths unsafely.
• Suspicious code patterns — OS command execution · PrefectHQ-marvin-7c3e20a/README.md (CWE-78)expected
• Suspicious code patterns — dynamic code execution · PrefectHQ-marvin-7c3e20a/examples/english_to_schema.py (CWE-95)expected
• Suspicious code patterns — destructive rm -rf /; pipe-to-shell install · PrefectHQ-marvin-7c3e20a/examples/slackbot/Dockerfile.slackbot (CWE-78)expected
• Suspicious code patterns — pipe-to-shell install · PrefectHQ-marvin-7c3e20a/examples/you_have_been_goosed/README.md (CWE-494)expected
⚠ LLM07 System Prompt Leakage high Secrets, internal hosts or proprietary logic exposed in shipped prompts.
• Internal host / private infrastructure reference — shipped content references a private IP range or internal-only host · PrefectHQ-marvin-7c3e20a/README.md (CWE-200)risk surface
• Embedded credentials — found: DB connection string with credentials · PrefectHQ-marvin-7c3e20a/docs/patterns/memory.mdx (CWE-798)expected
• Embedded credentials — found: hardcoded credential · PrefectHQ-marvin-7c3e20a/docs/patterns/task-results.mdx (CWE-798)expected
⚠ LLM10 Unbounded Consumption medium Unbounded loops/recursion causing DoS or runaway cost.
Enforced at runtime by the gateway (rate limits + spend caps + size caps); static check flags unbounded loops.
• Potentially unbounded loop — an infinite loop (while True / while(1) / for(;;)) may cause runaway consumption · PrefectHQ-marvin-7c3e20a/docs/guides/building-a-chatbot.mdx (CWE-835)risk surface
⚠ LLM06 Excessive Agency low Over-broad tool/permission surface or unrestricted egress.
• External endpoints declared — 1 distinct host(s) · PrefectHQ-marvin-7c3e20a/.github/workflows/image-build-and-push-community.yaml expected
• Broad capability surface — 3 high-impact capability categories referenced — verify least-privilege · PrefectHQ-marvin-7c3e20a/README.md (CWE-272)risk surface
• External endpoints declared — 4 distinct host(s) · PrefectHQ-marvin-7c3e20a/README.md expected
• External endpoints declared — 3 distinct host(s) · PrefectHQ-marvin-7c3e20a/docs/docs.json expected
• External endpoints declared — 2 distinct host(s) · PrefectHQ-marvin-7c3e20a/docs/guides/database-migrations.mdx expected
§ LLM09 Misinformation Governance Artifacts designed to produce false/deceptive output.
Detectable only by runtime behavioral evaluation; addressed via responsible-use attestation.
✓ LLM04 Data and Model Poisoning Passed Backdoors/poisoning in training data or serialized models.
Behavioral poisoning needs model execution; static check covers unsafe serialization + dataset skew only.
✓ LLM08 Vector and Embedding Weaknesses Passed PII or plaintext source leakage in embedding/vector exports.
Embedding inversion/poisoning is largely runtime; static check covers PII in vector exports.
OWASP Machine Learning Security Top 10
⚠ ML06 AI Supply Chain critical Compromised PyPI/npm packages, typosquats, unsafe serialized models.
• Vulnerable dependencies — 159 known vulnerabilities in: aiohttp@3.13.1, authlib@1.6.5, chromadb@1.2.1, cryptography@45.0.7, diskcache@5.6.3, fastmcp@3.0.0b2.dev20+b77484e1, filelock@3.20.0, gitpython@3.1.45 (CWE-1395)known CVE · -25 pts
⚠ ML02 Data Poisoning high Poisoned training datasets with triggers or anomalous distributions.
Static check covers trigger phrasing, PII and label skew; full poisoning detection is runtime.
• Prompt-injection phrasing — instruction-subversion language detected · PrefectHQ-marvin-7c3e20a/src/marvin/templates/system.jinja (CWE-77)expected
⚠ ML09 Output Integrity high Middleware tampering with model outputs in transit.
Gateway enforces TLS + response integrity; static check flags output-rewriting code.
• Suspicious code patterns — OS command execution · PrefectHQ-marvin-7c3e20a/README.md (CWE-78)expected
• Suspicious code patterns — dynamic code execution · PrefectHQ-marvin-7c3e20a/examples/english_to_schema.py (CWE-95)expected
• Suspicious code patterns — destructive rm -rf /; pipe-to-shell install · PrefectHQ-marvin-7c3e20a/examples/slackbot/Dockerfile.slackbot (CWE-78)expected
• Suspicious code patterns — pipe-to-shell install · PrefectHQ-marvin-7c3e20a/examples/you_have_been_goosed/README.md (CWE-494)expected
§ ML01 Input Manipulation (Adversarial) Governance Models vulnerable to adversarial perturbations.
Requires runtime robustness evaluation; addressed via publisher robustness attestation.
§ ML03 Model Inversion Governance Training data reconstructable from a model's outputs.
Runtime/evaluation property; addressed via model-card data-provenance + DP attestation.
§ ML04 Membership Inference Governance Determining whether a record was in the training set.
Runtime/evaluation property; addressed via overfitting disclosure + DP attestation.
§ ML08 Model Skewing Governance Models trained on skewed data producing biased output.
Requires fairness evaluation; addressed via model-card bias/limitations disclosure.
✓ ML05 Model Theft Passed Unlicensed re-distribution / license-incompatible derivatives.
Static check verifies license declaration; extraction throttling is runtime.
✓ ML07 Transfer Learning Attack Passed Backdoored base models / LoRA adapters propagating to derivatives.
Backdoor detection needs behavioral probing; static check covers unsafe serialization + provenance.
✓ ML10 Model Poisoning (Weights) Passed Tampered model weight files; integrity must be verifiable.
Static check enforces safe formats + records a content hash for downstream verification.
Other findings (8) · hygiene / uncategorized • Unrecognized file type — '.gitignore' is not on the allowlist · PrefectHQ-marvin-7c3e20a/.gitignore risk surface
• Unrecognized file type — '.?' is not on the allowlist · PrefectHQ-marvin-7c3e20a/LICENSE risk surface
• Unrecognized file type — '.ini' is not on the allowlist · PrefectHQ-marvin-7c3e20a/alembic.ini risk surface
• Unrecognized file type — '.mdx' is not on the allowlist · PrefectHQ-marvin-7c3e20a/docs/api-reference/marvin-agents-actor.mdx risk surface
• Unrecognized file type — '.dockerignore' is not on the allowlist · PrefectHQ-marvin-7c3e20a/examples/slackbot/.dockerignore risk surface
• Unrecognized file type — '.slackbot' is not on the allowlist · PrefectHQ-marvin-7c3e20a/examples/slackbot/Dockerfile.slackbot risk surface
• Unrecognized file type — '.mako' is not on the allowlist · PrefectHQ-marvin-7c3e20a/migrations/script.py.mako risk surface
• Unrecognized file type — '.jinja' is not on the allowlist · PrefectHQ-marvin-7c3e20a/src/marvin/templates/agent.jinja risk surface
✔ verified source · pinned PrefectHQ-marvin-7c3e20a
Check against a policy
The same gate an agent runs before installing (POST /api/v1/trust/marvin-ai/check). Click a policy:
No shell/exec No unknown egress Grade B or better No secrets access No install hooks Strict (B+ · no shell · no egress)