! Security: Review · 75 75/100 · grade B scanned 14h ago
✓ no compromise signals 2 risk-surface · 4/20 OWASP controls flagged
Compromise signals — malicious or tampered code (leaked secrets, backdoors, a dropped executable) — reduce the score, and known dependency CVEs carry a bounded penalty (they warrant review but never QUARANTINE — update the dependency to clear). Other dangerous-by-capability traits are risk surface , expected for some capabilities. Every finding is mapped to its OWASP control below.
Prompt card · med confidence (static)
{secrets.FLY_API_TOKEN} {github.event.repository.default_branch} {NODE_VERSION}
Findings mapped to the OWASP Top 10 for LLM Applications (2025) and the OWASP Machine Learning Security Top 10 . Expand any flagged control for the exact findings — compromise reduces the score; expected /risk-surface do not.
OWASP Top 10 for LLM Applications
⚠ LLM03 Supply Chain critical Vulnerable/compromised dependencies, models or archives in the artifact.
• Dependency manifest — 25 npm dependencies declared · a16z-infra-ai-getting-started-b02e524/package.json risk surface
• Vulnerable dependencies — 112 known vulnerabilities in: @babel/runtime@7.24.7, @clerk/nextjs@5.1.4, @supabase/auth-js@2.64.2, ai@2.2.37, ajv@6.12.6, ajv@8.16.0, axios@0.26.1, brace-expansion@1.1.11 (CWE-1395)known CVE · -25 pts
⚠ LLM06 Excessive Agency low Over-broad tool/permission surface or unrestricted egress.
• Broad capability surface — 3 high-impact capability categories referenced — verify least-privilege · a16z-infra-ai-getting-started-b02e524/package-lock.json (CWE-272)risk surface
§ LLM09 Misinformation Governance Artifacts designed to produce false/deceptive output.
Detectable only by runtime behavioral evaluation; addressed via responsible-use attestation.
◷ LLM10 Unbounded Consumption Runtime-enforced Unbounded loops/recursion causing DoS or runaway cost.
Enforced at runtime by the gateway (rate limits + spend caps + size caps); static check flags unbounded loops.
✓ LLM01 Prompt Injection Passed
✓ LLM02 Sensitive Information Disclosure Passed
✓ LLM04 Data and Model Poisoning Passed Backdoors/poisoning in training data or serialized models.
Behavioral poisoning needs model execution; static check covers unsafe serialization + dataset skew only.
✓ LLM05 Improper Output Handling Passed
✓ LLM07 System Prompt Leakage Passed
✓ LLM08 Vector and Embedding Weaknesses Passed PII or plaintext source leakage in embedding/vector exports.
Embedding inversion/poisoning is largely runtime; static check covers PII in vector exports.
OWASP Machine Learning Security Top 10
⚠ ML06 AI Supply Chain critical Compromised PyPI/npm packages, typosquats, unsafe serialized models.
• Dependency manifest — 25 npm dependencies declared · a16z-infra-ai-getting-started-b02e524/package.json risk surface
• Vulnerable dependencies — 112 known vulnerabilities in: @babel/runtime@7.24.7, @clerk/nextjs@5.1.4, @supabase/auth-js@2.64.2, ai@2.2.37, ajv@6.12.6, ajv@8.16.0, axios@0.26.1, brace-expansion@1.1.11 (CWE-1395)known CVE · -25 pts
⚠ ML05 Model Theft low Unlicensed re-distribution / license-incompatible derivatives.
Static check verifies license declaration; extraction throttling is runtime.
• No license signal — no SPDX id or license keyword found · a16z-infra-ai-getting-started-b02e524/.dockerignore risk surface
§ ML01 Input Manipulation (Adversarial) Governance Models vulnerable to adversarial perturbations.
Requires runtime robustness evaluation; addressed via publisher robustness attestation.
§ ML03 Model Inversion Governance Training data reconstructable from a model's outputs.
Runtime/evaluation property; addressed via model-card data-provenance + DP attestation.
§ ML04 Membership Inference Governance Determining whether a record was in the training set.
Runtime/evaluation property; addressed via overfitting disclosure + DP attestation.
§ ML08 Model Skewing Governance Models trained on skewed data producing biased output.
Requires fairness evaluation; addressed via model-card bias/limitations disclosure.
◷ ML09 Output Integrity Runtime-enforced Middleware tampering with model outputs in transit.
Gateway enforces TLS + response integrity; static check flags output-rewriting code.
✓ ML02 Data Poisoning Passed Poisoned training datasets with triggers or anomalous distributions.
Static check covers trigger phrasing, PII and label skew; full poisoning detection is runtime.
✓ ML07 Transfer Learning Attack Passed Backdoored base models / LoRA adapters propagating to derivatives.
Backdoor detection needs behavioral probing; static check covers unsafe serialization + provenance.
✓ ML10 Model Poisoning (Weights) Passed Tampered model weight files; integrity must be verifiable.
Static check enforces safe formats + records a content hash for downstream verification.
Other findings (5) · hygiene / uncategorized • Unrecognized file type — '.dockerignore' is not on the allowlist · a16z-infra-ai-getting-started-b02e524/.dockerignore risk surface
• Unrecognized file type — '.example' is not on the allowlist · a16z-infra-ai-getting-started-b02e524/.env.local.example risk surface
• Unrecognized file type — '.gitignore' is not on the allowlist · a16z-infra-ai-getting-started-b02e524/.gitignore risk surface
• Unrecognized file type — '.?' is not on the allowlist · a16z-infra-ai-getting-started-b02e524/Dockerfile risk surface
• Unrecognized file type — '.mjs' is not on the allowlist · a16z-infra-ai-getting-started-b02e524/src/scripts/indexBlogPGVector.mjs risk surface
✔ verified source · pinned a16z-infra-ai-getting-started-b02e524
Check against a policy
The same gate an agent runs before installing (POST /api/v1/trust/a16z-ai-getting-started/check). Click a policy:
No shell/exec No unknown egress Grade B or better No secrets access No install hooks Strict (B+ · no shell · no egress)