moe-training

skills-sh:davila7_claude-code-templates__moe-training

View source

92/100

First Seen

Feb 18, 2026

Last Scanned

Feb 20, 2026

Findings

Score

92/100

MEDIUM 1

LOW 2

Findings (3)

MEDIUM

Git clone and execute chain SUPPLY_012

supply-chain L38

Detects git clone of repositories followed by execution of cloned content

git
clone https://github.com/microsoft/Megatron-DeepSpeed + cd
Megatron-DeepSpeed
pip
install

FIX

Review the dependency tree for nested or transitive dependencies that introduce risk. Use tools like npm audit or pip-audit to identify known vulnerabilities in the dependency chain.

FP?

Likely FP if the flagged dependency is a standard, widely-used library with no known vulnerabilities at the time of scanning.

LOW

pip install arbitrary package EXTDL_009

external-download L31

Detects pip install of arbitrary packages that modify the host environment

pip
install
de

FIX

Pin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.

FP?

Likely FP if the match is in documentation showing how to install the skill's own PyPI package.

LOW

pip install arbitrary package EXTDL_009

external-download L47

Detects pip install of arbitrary packages that modify the host environment

pip
install
tr

FIX

Pin all pip packages to exact versions (e.g., pip install package==1.2.3). Use a requirements.txt or pyproject.toml with pinned versions and hash verification.

FP?

Likely FP if the match is in documentation showing how to install the skill's own PyPI package.