Skill

llm-supply-chain

Checks for LLM supply chain vulnerabilities including unverified model downloads, floating version tags, unapproved providers, and unchecked automated updates. Flags risks and suggests pinned SHAs, checksums, org allowlists, and human approval.

OpenAI

Anthropic

npx claudepluginhub thejefflarson/soundcheck --plugin soundcheck

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Protects against compromised or backdoored models introduced through unverified

SKILL.md

Similar Skills

AI/ML Attack Surface

Detects AI/ML security vulnerabilities like unsafe model deserialization in PyTorch/Joblib/NumPy, prompt injection in LLM prompts, and risks in Jupyter notebooks or ML pipelines.

vuln-scout

Ai Code Security

Audits AI-generated code and LLM applications for security vulnerabilities, covering OWASP Top 10 for LLMs, secure coding patterns, and AI-specific threat models.

3 files

omer-metin-skills-for-antigravity-2

owasp-llm-top10

Audits LLM and GenAI applications for OWASP Top 10 2025 vulnerabilities including prompt injection, data leakage, supply chain risks, and more. Use before deployment, for RAG reviews, or pen testing.

mastepanoski-claude-skills

Stats

Stars13

Forks0

Last CommitApr 18, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

LLM Supply Chain Security Check (OWASP LLM05:2025)

What this checks

Protects against compromised or backdoored models introduced through unverified downloads, floating version tags, or unreviewed third-party providers. A tampered model weight file or a silently swapped latest tag can introduce persistent backdoors that survive retraining.

Vulnerable patterns

model = load("https://arbitrary-host.com/model.bin") — no checksum verification
model_id = "org/model:latest" — floating tag silently pulls a different artifact on each run
No review of model card, license, or provenance before integrating a third-party model
Automated model updates in CI with no human approval gate

Fix immediately

Flag the vulnerable code and explain the risk. Then suggest a fix that establishes these properties:

Model revisions are pinned to an exact commit SHA, never main, latest, or a mutable branch name. A floating tag lets the registry (or a registry compromise) silently swap what you load on the next pull — including backdoored weights that look identical by name.
Weight files are checksum-verified after download. A SHA-256 of the expected bytes is pinned in version control; the loader computes the digest on the downloaded file and refuses to use it on mismatch. Pinning the revision alone doesn't help if the artifact is served from a compromised CDN.
Model source is validated against an allowlist of approved organizations before download begins. org/model notation with a wildcard org field is the supply-chain equivalent of *.
Automated model updates have a human approval gate. A CI job that bumps a pinned revision without review is a backdoor delivery channel; rotate revisions through PRs with signed artifacts reviewed by a human.

Anchor — shape, not implementation:

require(model_id.split("/")[0] in APPROVED_ORGS)
model = load(model_id, revision=PINNED_COMMIT_SHA)   # not "main"
require(sha256(weight_file) == PINNED_SHA256)         # pinned in source

Verification

Confirm the response:

Model IDs specify an exact commit SHA revision, not "main" or "latest"
SHA-256 checksums for model weight files are pinned in version control and verified post-download
Model source organization is validated against an approved allowlist

References

CWE-1395 (Dependency on Vulnerable Third-Party Component)
CWE-494 (Download of Code Without Integrity Check)
OWASP LLM05:2025 Supply Chain Vulnerabilities