Generated: 2026-04-16 01:33 UTC
Skills scanned: 134
Total findings: 825
Critical: 68 | High: 55 | Safe skills: 93/134
| Skill | Severity | Findings | Safe | Duration |
|---|---|---|---|---|
| citation-management | π΄ CRITICAL | 15 | β | 42.3s |
| clinical-decision-support | π΄ CRITICAL | 13 | β | 64.5s |
| clinical-reports | π΄ CRITICAL | 11 | β | 55.4s |
| cobrapy | π΄ CRITICAL | 3 | β | 26.0s |
| hypothesis-generation | π΄ CRITICAL | 10 | β | 37.0s |
| infographics | π΄ CRITICAL | 11 | β | 37.6s |
| latex-posters | π΄ CRITICAL | 12 | β | 42.5s |
| literature-review | π΄ CRITICAL | 11 | β | 48.8s |
| markitdown | π΄ CRITICAL | 12 | β | 39.0s |
| peer-review | π΄ CRITICAL | 10 | β | 29.5s |
| pptx-posters | π΄ CRITICAL | 9 | β | 31.1s |
| research-grants | π΄ CRITICAL | 10 | β | 46.1s |
| research-lookup | π΄ CRITICAL | 17 | β | 106.0s |
| scholar-evaluation | π΄ CRITICAL | 12 | β | 41.6s |
| scientific-critical-thinking | π΄ CRITICAL | 11 | β | 47.3s |
| scientific-schematics | π΄ CRITICAL | 11 | β | 41.9s |
| scientific-slides | π΄ CRITICAL | 17 | β | 61.1s |
| scientific-writing | π΄ CRITICAL | 10 | β | 46.4s |
| seaborn | π΄ CRITICAL | 3 | β | 27.1s |
| statsmodels | π΄ CRITICAL | 5 | β | 31.7s |
| treatment-plans | π΄ CRITICAL | 12 | β | 56.2s |
| umap-learn | π΄ CRITICAL | 4 | β | 29.8s |
| venue-templates | π΄ CRITICAL | 10 | β | 36.8s |
| consciousness-council | π HIGH | 4 | β | 34.0s |
| datamol | π HIGH | 4 | β | 31.1s |
| dhdna-profiler | π HIGH | 5 | β | 38.3s |
| esm | π HIGH | 6 | β | 26.5s |
| geomaster | π HIGH | 7 | β | 33.4s |
| modal | π HIGH | 8 | β | 21.9s |
| parallel-web | π HIGH | 7 | β | 43.3s |
| pathml | π HIGH | 8 | β | 32.0s |
| polars | π HIGH | 5 | β | 21.1s |
| pytorch-lightning | π HIGH | 4 | β | 21.1s |
| qutip | π HIGH | 3 | β | 17.8s |
| scikit-bio | π HIGH | 3 | β | 23.5s |
| sympy | π HIGH | 4 | β | 24.4s |
| torch-geometric | π HIGH | 7 | β | 26.9s |
| torchdrug | π HIGH | 4 | β | 24.5s |
| transformers | π HIGH | 5 | β | 20.9s |
| what-if-oracle | π HIGH | 4 | β | 32.7s |
| zarr-python | π HIGH | 4 | β | 30.4s |
| bgpt-paper-search | π‘ MEDIUM | 4 | β | 20.6s |
| dnanexus-integration | π‘ MEDIUM | 5 | β | 29.3s |
| docx | π‘ MEDIUM | 5 | β | 42.3s |
| histolab | π‘ MEDIUM | 4 | β | 23.1s |
| hypogenic | π‘ MEDIUM | 6 | β | 31.0s |
| imaging-data-commons | π‘ MEDIUM | 5 | β | 25.3s |
| labarchive-integration | π‘ MEDIUM | 8 | β | 35.4s |
| latchbio-integration | π‘ MEDIUM | 3 | β | 20.5s |
| market-research-reports | π‘ MEDIUM | 5 | β | 96.1s |
| matlab | π‘ MEDIUM | 5 | β | 35.6s |
| open-notebook | π‘ MEDIUM | 20 | β | 24.4s |
| phylogenetics | π‘ MEDIUM | 8 | β | 20.2s |
| primekg | π‘ MEDIUM | 4 | β | 28.4s |
| protocolsio-integration | π‘ MEDIUM | 6 | β | 23.4s |
| pufferlib | π‘ MEDIUM | 5 | β | 28.4s |
| pyhealth | π‘ MEDIUM | 4 | β | 27.3s |
| pymatgen | π‘ MEDIUM | 4 | β | 25.2s |
| scikit-survival | π‘ MEDIUM | 4 | β | 26.1s |
| vaex | π‘ MEDIUM | 3 | β | 18.1s |
| xlsx | π‘ MEDIUM | 5 | β | 40.2s |
| adaptyv | π΅ LOW | 3 | β | 24.3s |
| aeon | π΅ LOW | 4 | β | 23.8s |
| anndata | π΅ LOW | 4 | β | 19.5s |
| arboreto | π΅ LOW | 1 | β | 8.7s |
| astropy | π΅ LOW | 4 | β | 25.0s |
| benchling-integration | π΅ LOW | 4 | β | 18.7s |
| biopython | π΅ LOW | 3 | β | 15.8s |
| cellxgene-census | π΅ LOW | 4 | β | 17.7s |
| dask | π΅ LOW | 1 | β | 10.8s |
| database-lookup | π΅ LOW | 3 | β | 29.1s |
| deepchem | π΅ LOW | 4 | β | 28.0s |
| deeptools | π΅ LOW | 2 | β | 15.3s |
| depmap | π΅ LOW | 4 | β | 25.0s |
| diffdock | π΅ LOW | 2 | β | 18.2s |
| etetoolkit | π΅ LOW | 3 | β | 22.2s |
| exploratory-data-analysis | π΅ LOW | 5 | β | 33.0s |
| flowio | π΅ LOW | 3 | β | 18.0s |
| fluidsim | π΅ LOW | 3 | β | 21.9s |
| generate-image | π΅ LOW | 3 | β | 18.5s |
| geniml | π΅ LOW | 3 | β | 17.1s |
| geopandas | π΅ LOW | 5 | β | 25.8s |
| get-available-resources | π΅ LOW | 4 | β | 27.3s |
| gget | π΅ LOW | 5 | β | 32.1s |
| ginkgo-cloud-lab | π΅ LOW | 3 | β | 16.8s |
| glycoengineering | π΅ LOW | 3 | β | 19.6s |
| gtars | π΅ LOW | 5 | β | 25.3s |
| iso-13485-certification | π΅ LOW | 2 | β | 16.5s |
| lamindb | π΅ LOW | 4 | β | 21.7s |
| matchms | π΅ LOW | 1 | β | 11.6s |
| matplotlib | π΅ LOW | 2 | β | 19.1s |
| medchem | π΅ LOW | 1 | β | 15.6s |
| molecular-dynamics | π΅ LOW | 3 | β | 18.4s |
| molfeat | π΅ LOW | 3 | β | 19.7s |
| networkx | π΅ LOW | 3 | β | 23.5s |
| neurokit2 | π΅ LOW | 4 | β | 28.0s |
| neuropixels-analysis | π΅ LOW | 5 | β | 37.6s |
| omero-integration | π΅ LOW | 5 | β | 32.7s |
| opentrons-integration | π΅ LOW | 4 | β | 23.9s |
| optimize-for-gpu | π΅ LOW | 4 | β | 29.0s |
| paper-lookup | π΅ LOW | 5 | β | 33.9s |
| paperzilla | π΅ LOW | 3 | β | 22.7s |
| π΅ LOW | 5 | β | 31.7s | |
| pennylane | π΅ LOW | 5 | β | 20.9s |
| polars-bio | π΅ LOW | 3 | β | 20.7s |
| pptx | π΅ LOW | 4 | β | 31.4s |
| pydeseq2 | π΅ LOW | 3 | β | 16.9s |
| pydicom | π΅ LOW | 4 | β | 28.8s |
| pymc | π΅ LOW | 1 | β | 17.2s |
| pysam | π΅ LOW | 1 | β | 12.4s |
| pytdc | π΅ LOW | 3 | β | 23.7s |
| pyzotero | π΅ LOW | 3 | β | 19.0s |
| qiskit | π΅ LOW | 4 | β | 27.8s |
| rdkit | π΅ LOW | 3 | β | 19.8s |
| rowan | π΅ LOW | 5 | β | 27.5s |
| scanpy | π΅ LOW | 2 | β | 14.6s |
| scientific-brainstorming | π΅ LOW | 1 | β | 10.4s |
| scikit-learn | π΅ LOW | 1 | β | 12.6s |
| scvelo | π΅ LOW | 3 | β | 17.0s |
| scvi-tools | π΅ LOW | 2 | β | 20.2s |
| shap | π΅ LOW | 3 | β | 21.2s |
| simpy | π΅ LOW | 1 | β | 13.2s |
| stable-baselines3 | π΅ LOW | 1 | β | 12.2s |
| statistical-analysis | π΅ LOW | 2 | β | 16.1s |
| tiledbvcf | π΅ LOW | 4 | β | 23.3s |
| timesfm-forecasting | π΅ LOW | 4 | β | 34.8s |
| usfiscaldata | π΅ LOW | 3 | β | 20.4s |
| bioservices | π’ SAFE | 0 | β | 16.7s |
| cirq | π’ SAFE | 0 | β | 8.9s |
| markdown-mermaid-writing | π’ SAFE | 0 | β | 7.8s |
| pylabrobot | π’ SAFE | 0 | β | 4.5s |
| pymoo | π’ SAFE | 0 | β | 3.7s |
| pyopenms | π’ SAFE | 0 | β | 8.4s |
| scientific-visualization | π’ SAFE | 0 | β | 64.3s |
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATIONβ Cross-file env var exfiltration: 6 filesEnvironment variable access with network calls in scripts/extract_metadata.py, scripts/generate_schematic_ai.py, scripts/generate_schematic.py, scripts/search_pubmed.py Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/validate_citations.py, scripts/generate_schematic_ai.py, scripts/doi_to_bibtex.py, scripts/extract_metadata.py, scripts/search_pubmed.py
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_EXFILTRATION_CHAINβ Cross-file exfiltration chain: 6 filesMulti-file exfiltration chain detected: scripts/extract_metadata.py, scripts/generate_schematic_ai.py, scripts/generate_schematic.py, scripts/search_pubmed.py collect data β scripts/generate_schematic_ai.py β scripts/doi_to_bibtex.py, scripts/extract_metadata.py, scripts/validate_citations.py, scripts/generate_schematic_ai.py, scripts/search_pubmed.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/validate_citations.py, scripts/generate_schematic_ai.py, scripts/doi_to_bibtex.py, scripts/extract_metadata.py, scripts/search_pubmed.py
-
π‘ MEDIUM
LLM_UNAUTHORIZED_TOOL_USEβ Unpinned Third-Party Package Dependencies Create Supply Chain RiskThe skill's dependency section specifies packages without version pins (e.g., 'pip install requests', 'pip install scholarly', 'pip install selenium', 'pip install bibtexparser', 'pip install biopython'). Unpinned dependencies can be silently upgraded to malicious versions via supply chain attacks (typosquatting, dependency confusion, or compromised package releases). Remediation: Pin all dependencies to specific versions (e.g., requests==2.31.0). Use a requirements.txt with hashed dependencies. Consider using a virtual environment and lockfile to ensure reproducible installs.
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ Cross-File Exfiltration Chain: Environment Variables Read Across 6 Scripts and Transmitted ExternallyStatic analysis identified a cross-file exfiltration chain spanning 6 files. Environment variables (OPENROUTER_API_KEY, NCBI_API_KEY, NCBI_EMAIL) are read in multiple scripts and transmitted to external services. While each individual transmission may be legitimate, the breadth of the chain (6 files) increases the attack surface and makes auditing difficult. Remediation: Audit all environment variable accesses and external network calls. Document each in the skill manifest. Ensure users are informed of all external services contacted before the skill is activated.
-
π΄ CRITICAL
BEHAVIOR_ENV_VAR_EXFILTRATIONβ Environment variable access with network calls detectedScript accesses environment variables and makes network calls in scientific-skills/citation-management/scripts/extract_metadata.py File:
scientific-skills/citation-management/scripts/extract_metadata.pyRemediation: Remove environment variable harvesting or network transmission -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/citation-management/scripts/extract_metadata.py File:
scientific-skills/citation-management/scripts/extract_metadata.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/citation-management/scripts/generate_schematic.py File:
scientific-skills/citation-management/scripts/generate_schematic.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π΄ CRITICAL
BEHAVIOR_ENV_VAR_EXFILTRATIONβ Environment variable access with network calls detectedScript accesses environment variables and makes network calls in scientific-skills/citation-management/scripts/generate_schematic_ai.py File:
scientific-skills/citation-management/scripts/generate_schematic_ai.pyRemediation: Remove environment variable harvesting or network transmission -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/citation-management/scripts/generate_schematic_ai.py File:
scientific-skills/citation-management/scripts/generate_schematic_ai.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π΄ CRITICAL
BEHAVIOR_ENV_VAR_EXFILTRATIONβ Environment variable access with network calls detectedScript accesses environment variables and makes network calls in scientific-skills/citation-management/scripts/search_pubmed.py File:
scientific-skills/citation-management/scripts/search_pubmed.pyRemediation: Remove environment variable harvesting or network transmission -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/citation-management/scripts/search_pubmed.py File:
scientific-skills/citation-management/scripts/search_pubmed.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π‘ MEDIUM
LLM_DATA_EXFILTRATIONβ NCBI_API_KEY and NCBI_EMAIL Environment Variables Accessed and TransmittedMultiple scripts (extract_metadata.py, search_pubmed.py) read NCBI_API_KEY and NCBI_EMAIL from environment variables and include them in outbound HTTP requests to NCBI E-utilities. While NCBI is a legitimate service, the pattern of reading credentials from the environment and transmitting them externally is a data exposure risk, especially if the environment contains other sensitive variables that could be inadvertently logged or leaked. File:
scripts/extract_metadata.pyRemediation: Validate that only the expected environment variables are read. Avoid logging request parameters that include API keys. Consider prompting the user to provide credentials explicitly rather than silently reading from the environment. -
π΅ LOW
LLM_PROMPT_INJECTIONβ External API Responses Parsed and Used to Generate BibTeX Without SanitizationThe extract_metadata.py and search_pubmed.py scripts parse responses from external APIs (CrossRef, PubMed, arXiv) and directly embed the returned data into BibTeX entries without sanitization. If an external API returns maliciously crafted content (e.g., BibTeX injection via specially crafted author names or titles containing BibTeX control characters), it could corrupt the output BibTeX file or cause downstream LaTeX compilation issues. File:
scripts/extract_metadata.pyRemediation: Sanitize all data received from external APIs before embedding in BibTeX output. Escape or strip BibTeX control characters (e.g., unbalanced braces, @ symbols) from externally sourced strings. -
π HIGH
LLM_DATA_EXFILTRATIONβ OPENROUTER_API_KEY Environment Variable Harvested and Transmitted to External APIThe generate_schematic_ai.py script reads the OPENROUTER_API_KEY environment variable and transmits it in HTTP Authorization headers to openrouter.ai. While this is nominally for AI image generation, the skill bundles this capability inside a citation management tool where it is not clearly necessary. The key is read from the environment and sent over the network, creating a credential exposure risk if the API key has broad permissions or if the endpoint is manipulated. File:
scripts/generate_schematic_ai.pyRemediation: Clearly document why an OpenRouter API key is required for a citation management skill. Scope the API key to minimum required permissions. Consider removing the schematic generation capability from this skill entirely, or isolating it in a separate skill with explicit user consent. -
π‘ MEDIUM
LLM_SKILL_DISCOVERY_ABUSEβ Capability Inflation: Citation Skill Bundles Unrelated AI Image GenerationThe SKILL.md description presents this as a citation management tool for academic research, but the skill bundles a full AI-powered scientific schematic generation system (generate_schematic.py, generate_schematic_ai.py) that calls external AI APIs (OpenRouter/Gemini). The description does not mention image generation or external AI API usage. This mismatch between stated purpose and actual capabilities constitutes capability inflation and may cause the agent to invoke AI generation features without user awareness. File:
scripts/generate_schematic_ai.pyRemediation: Update the skill description and YAML manifest to accurately reflect all capabilities including AI image generation and external API usage. Alternatively, remove the schematic generation scripts from this skill and place them in a dedicated skill.
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATIONβ Cross-file env var exfiltration: 2 filesEnvironment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/generate_schematic.py
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_EXFILTRATION_CHAINβ Cross-file exfiltration chain: 2 filesMulti-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data β scripts/generate_schematic_ai.py β scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/generate_schematic.py
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Mandatory Cross-Skill Invocation Creates Undisclosed Capability DependencyThe SKILL.md contains a MANDATORY directive requiring invocation of the 'scientific-schematics' skill for every document generated: '
β οΈ MANDATORY: Every clinical decision support document MUST include at least 1-2 AI-generated figures using the scientific-schematics skill.' This creates an undisclosed dependency on another skill that may have its own security posture, and the mandatory nature inflates the effective capability scope of this skill beyond what is declared in the manifest. Users may not be aware that invoking this skill will also trigger the scientific-schematics skill. File:SKILL.mdRemediation: Remove the mandatory cross-skill invocation requirement or clearly disclose it in the skill manifest description. Make figure generation optional and user-controlled. If cross-skill invocation is intended, document it explicitly in the allowed-tools or metadata fields. -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/clinical-decision-support/scripts/generate_schematic.py File:
scientific-skills/clinical-decision-support/scripts/generate_schematic.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π΄ CRITICAL
BEHAVIOR_ENV_VAR_EXFILTRATIONβ Environment variable access with network calls detectedScript accesses environment variables and makes network calls in scientific-skills/clinical-decision-support/scripts/generate_schematic_ai.py File:
scientific-skills/clinical-decision-support/scripts/generate_schematic_ai.pyRemediation: Remove environment variable harvesting or network transmission -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/clinical-decision-support/scripts/generate_schematic_ai.py File:
scientific-skills/clinical-decision-support/scripts/generate_schematic_ai.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π‘ MEDIUM
LLM_COMMAND_INJECTIONβ Unvalidated JSON Input Deserialized and Used in Code GenerationIn build_decision_tree.py, user-supplied JSON files are loaded and their contents are directly interpolated into generated LaTeX/TikZ code without sanitization. Malicious JSON content with LaTeX injection payloads (e.g., \write18{malicious_command} or \input{/etc/passwd}) could be embedded in node text fields and executed when the generated .tex file is compiled with pdflatex. The script also reads arbitrary JSON files from user-supplied paths. File:
scripts/build_decision_tree.pyRemediation: Sanitize all text content before embedding in LaTeX. Escape LaTeX special characters (, {, }, $, &, #, ^, _, ~, %) from user-supplied data. Consider using a LaTeX escaping library or implementing a strict allowlist of permitted characters in node text fields. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Potential HIPAA-Sensitive Data Written to Local Files Without Access ControlsThe scripts generate output files containing clinical data (patient cohort tables, survival statistics, biomarker classifications) to local directories without any access control enforcement. The validate_cds_document.py script explicitly checks for HIPAA identifiers but only warns rather than blocking. The create_cohort_tables.py and biomarker_classifier.py scripts write patient data to CSV files in user-specified directories. If the agent operates in a shared environment, these files could be accessible to other processes. File:
scripts/create_cohort_tables.pyRemediation: Implement file permission controls (chmod 600) on output files containing patient data. Consider encrypting sensitive output files. Enhance the HIPAA validator to block document generation when identifiers are detected rather than just warning. Add audit logging for all file write operations involving clinical data. -
π HIGH
LLM_DATA_EXFILTRATIONβ Full Environment Variable Copy Passed to SubprocessIn generate_schematic.py, the script calls os.environ.copy() to duplicate the entire process environment and passes it to a subprocess via subprocess.run(). This means ALL environment variables present in the agent's environment (including AWS credentials, SSH keys, database passwords, other API tokens, etc.) are passed to the child process. Combined with the child process making external network calls, this creates a cross-file exfiltration chain where any secret in the environment could potentially be accessed and transmitted. File:
scripts/generate_schematic.pyRemediation: Instead of copying the entire environment, create a minimal environment dict with only the required variables: env = {"OPENROUTER_API_KEY": api_key, "PATH": os.environ.get("PATH", "")}. This prevents accidental exposure of other secrets to the subprocess. -
π‘ MEDIUM
LLM_PROMPT_INJECTIONβ Indirect Prompt Injection via External AI-Generated ContentThe generate_schematic_ai.py script sends user-provided prompts to an external AI model (Nano Banana 2 / Gemini) and then uses the AI's text responses (including 'critique' and 'review' content) to construct new prompts for subsequent iterations. Malicious content returned by the external API could contain prompt injection payloads that influence the agent's behavior in subsequent processing steps. The review content is directly embedded into improved prompts without sanitization. File:
scripts/generate_schematic_ai.pyRemediation: Treat all content returned from external APIs as untrusted. Do not directly embed API response text into new prompts without sanitization. Consider using structured output formats (JSON schemas) for review responses rather than free-form text, and validate/sanitize the extracted fields before reuse. -
π HIGH
LLM_DATA_EXFILTRATIONβ API Key Exfiltration via Environment Variable and External Network CallsThe script generate_schematic_ai.py reads the OPENROUTER_API_KEY environment variable and transmits it in HTTP Authorization headers to an external API endpoint (https://openrouter.ai/api/v1). While the stated purpose is AI image generation, the pattern of reading sensitive environment variables and sending them to external servers represents a data exfiltration risk. The API key is passed in every request header, and the script also reads other environment variables via os.environ.copy() in generate_schematic.py, which copies the entire environment (including any secrets like AWS keys, tokens, etc.) and passes it to a subprocess. File:
scripts/generate_schematic_ai.py:97Remediation: 1. Scope environment variable access to only the specific key needed. 2. Never pass os.environ.copy() to subprocesses - explicitly pass only required variables. 3. Validate the API endpoint URL against an allowlist before making requests. 4. Consider using a secrets manager rather than environment variables for API keys. -
π‘ MEDIUM
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned External Dependencies with No Version ConstraintsMultiple scripts import third-party packages (lifelines, matplotlib, pandas, numpy, scipy, scikit-learn, requests) without any version pinning or requirements file with exact versions. The SKILL.md references these as dependencies but provides no pinned versions. Unpinned dependencies are vulnerable to supply chain attacks where a malicious package version could be installed. The requests library in particular is used for all external API communication. File:
scripts/generate_survival_analysis.py:1Remediation: Create a requirements.txt with exact pinned versions (e.g., requests==2.31.0, lifelines==0.27.8). Use hash verification (pip install --require-hashes). Consider using a lockfile approach (pip-compile or poetry.lock) to ensure reproducible, auditable dependency resolution. -
π‘ MEDIUM
LLM_COMMAND_INJECTIONβ Arbitrary File Read via Unvalidated User-Supplied File PathMultiple scripts (validate_cds_document.py, build_decision_tree.py, biomarker_classifier.py, generate_survival_analysis.py, create_cohort_tables.py) accept file paths directly from command-line arguments without path traversal validation. An attacker could supply paths like ../../../../etc/passwd or ~/.aws/credentials as input files, causing the scripts to read and potentially expose sensitive system files. The validate_cds_document.py script reads arbitrary files and prints their contents in validation reports. File:
scripts/validate_cds_document.py:30Remediation: Validate and sanitize all file paths before opening. Use Path.resolve() and check that the resolved path is within an expected directory. Example: resolved = Path(filepath).resolve(); assert resolved.is_relative_to(allowed_dir). Apply this pattern to all scripts that accept file path arguments.
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATIONβ Cross-file env var exfiltration: 2 filesEnvironment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/generate_schematic.py
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_EXFILTRATION_CHAINβ Cross-file exfiltration chain: 2 filesMulti-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data β scripts/generate_schematic_ai.py β scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/generate_schematic.py
-
π‘ MEDIUM
LLM_SKILL_DISCOVERY_ABUSEβ Over-Broad Capability Claims and Misleading DescriptionThe skill description claims 'Full support with templates, regulatory compliance (HIPAA, FDA, ICH-GCP), and validation tools.' However, the validation scripts use simple regex pattern matching and do not provide actual regulatory compliance validation. For example, check_deidentification.py uses basic regex to detect HIPAA identifiers but explicitly notes it only catches 'obvious' patterns. Claiming 'regulatory compliance' for a regex-based text scanner could mislead users into believing their documents are actually HIPAA-compliant when they may not be. File:
SKILL.mdRemediation: 1. Revise the description to accurately reflect that the skill provides templates and basic pattern-matching checks, not actual regulatory compliance validation. 2. Add disclaimers in the validation scripts that they perform heuristic checks only and do not guarantee regulatory compliance. 3. Clarify that professional legal/compliance review is required for actual HIPAA compliance. -
π‘ MEDIUM
LLM_UNAUTHORIZED_TOOL_USEβ Mandatory External Skill Invocation Without User Consent - scientific-schematics DependencyThe SKILL.md instruction body contains a mandatory directive requiring the agent to invoke an external skill ('scientific-schematics') for every clinical report generated, without user consent or opt-out. The instruction states 'MANDATORY: Every clinical report MUST include at least 1 AI-generated figure using the scientific-schematics skill' and 'This is not optional.' This forces the agent to invoke another skill and execute scripts (generate_schematic.py) that make external network calls, potentially without the user's knowledge or consent that external API calls will be made. File:
SKILL.mdRemediation: 1. Remove the 'MANDATORY' and 'not optional' language - figure generation should be optional and user-initiated. 2. Clearly disclose in the skill description that using figure generation features requires an OpenRouter API key and makes external network calls. 3. Add explicit user confirmation before invoking external API calls. 4. The allowed-tools field should reflect that Bash execution is used for external API calls. -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/clinical-reports/scripts/generate_schematic.py File:
scientific-skills/clinical-reports/scripts/generate_schematic.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π΄ CRITICAL
BEHAVIOR_ENV_VAR_EXFILTRATIONβ Environment variable access with network calls detectedScript accesses environment variables and makes network calls in scientific-skills/clinical-reports/scripts/generate_schematic_ai.py File:
scientific-skills/clinical-reports/scripts/generate_schematic_ai.pyRemediation: Remove environment variable harvesting or network transmission -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/clinical-reports/scripts/generate_schematic_ai.py File:
scientific-skills/clinical-reports/scripts/generate_schematic_ai.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π HIGH
LLM_DATA_EXFILTRATIONβ Cross-File Exfiltration Chain: generate_schematic.py Passes API Key to generate_schematic_ai.py via SubprocessThe script generate_schematic.py reads the OPENROUTER_API_KEY from the environment and passes it to generate_schematic_ai.py via subprocess execution. The comment in the code notes 'pass API key via environment to avoid exposure in process listings', but this creates a cross-file exfiltration chain where credentials flow from environment β generate_schematic.py β subprocess env β generate_schematic_ai.py β external HTTP request to openrouter.ai. This chain is flagged by static analysis as a cross-file env var exfiltration pattern. File:
scripts/generate_schematic.pyRemediation: 1. Document clearly in the skill manifest that external API calls are made to openrouter.ai. 2. Ensure the user is explicitly informed and consents before the skill invokes these scripts. 3. Consider whether the full os.environ.copy() is necessary - this passes ALL environment variables to the subprocess, not just OPENROUTER_API_KEY, potentially exposing other secrets (AWS keys, tokens, etc.) present in the environment. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Full Environment Copy Passed to SubprocessIn generate_schematic.py, the code performs os.environ.copy() and passes the entire environment to the subprocess. This means ALL environment variables present in the agent's environment (potentially including AWS credentials, database passwords, other API keys, SSH keys, etc.) are passed to the child process generate_schematic_ai.py. While the child process may not use them, this is an unnecessary exposure of the full environment. File:
scripts/generate_schematic.pyRemediation: Instead of copying the full environment, pass only the minimum required environment variables to the subprocess: env = {'OPENROUTER_API_KEY': api_key, 'PATH': os.environ.get('PATH', '')}. This prevents accidental exposure of other sensitive environment variables to the child process. -
π HIGH
LLM_DATA_EXFILTRATIONβ API Key Exfiltration via External Network Calls in generate_schematic_ai.pyThe script generate_schematic_ai.py reads the OPENROUTER_API_KEY environment variable and transmits it to an external API endpoint (https://openrouter.ai/api/v1). While the stated purpose is AI image generation, the script also reads environment variables and makes outbound HTTP requests with those credentials. The API key is passed in Authorization headers to an external third-party service. Additionally, the script attempts to load .env files from the current working directory and the script's parent directory, potentially harvesting credentials stored in local .env files beyond just OPENROUTER_API_KEY. File:
scripts/generate_schematic_ai.pyRemediation: 1. Clearly document in SKILL.md that this skill requires an OpenRouter API key and makes external network calls. 2. Restrict .env file loading to only the skill's own directory, not the current working directory (which could be the user's project root containing unrelated secrets). 3. Validate that only the expected OPENROUTER_API_KEY is read, not other environment variables. 4. Add explicit user consent/confirmation before making external API calls with credentials. -
π΅ LOW
LLM_RESOURCE_ABUSEβ Unbounded External API Calls with Iterative Retry LogicThe generate_schematic_ai.py script implements an iterative refinement loop that makes multiple calls to external AI APIs (image generation + quality review per iteration). While the maximum iterations are capped at 2, each iteration makes at least 2 API calls (one to generate, one to review), and the script saves intermediate files to disk. If invoked repeatedly or in batch contexts, this could result in significant API cost consumption and disk usage without explicit user awareness of the cost implications. File:
scripts/generate_schematic_ai.pyRemediation: 1. Add explicit cost warnings before making API calls, informing users that external API calls will incur costs. 2. Require explicit user confirmation before initiating the iterative generation process. 3. Document the expected number of API calls and approximate costs in the skill description.
-
π΄ CRITICAL
LLM_DATA_EXFILTRATIONβ Environment Variable Access with Network Exfiltration ChainStatic analysis flagged a cross-file exfiltration chain involving environment variable access combined with network calls across 2 files. The skill package contains 10 Python files and 22 markdown files, but no script files were surfaced in the analysis. The pre-scan static analyzer detected BEHAVIOR_ENV_VAR_EXFILTRATION and BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN patterns, indicating that somewhere in the 10 Python files (not shown in the provided content), there is code that reads environment variables (likely containing credentials, API keys, or tokens) and transmits them to an external network endpoint. This is a classic credential harvesting and data exfiltration pattern. Remediation: Immediately inspect all 10 Python files in the skill package for: (1) os.environ, os.getenv, or similar environment variable access; (2) requests, urllib, httpx, or any other HTTP/network calls; (3) any pattern that reads env vars and passes them to network functions. Remove any such code. The skill's stated purpose (metabolic modeling with COBRApy) has no legitimate need to read environment variables or make outbound network calls beyond loading bundled models.
-
π HIGH
LLM_UNAUTHORIZED_TOOL_USEβ Hidden Python Scripts Not Disclosed in Skill InstructionsThe skill package contains 10 Python files according to the file inventory, but the SKILL.md instructions and referenced workflow/API files contain only inline code examples - no standalone Python scripts are declared or described. The skill instructions make no mention of any executable Python scripts being part of the package, yet 10 such files exist. This discrepancy between declared behavior and actual package contents is a tool poisoning indicator: scripts executing silently without user awareness. File:
SKILL.mdRemediation: Audit all 10 Python files. Any legitimate helper scripts should be explicitly referenced in SKILL.md with clear descriptions of their purpose. Scripts that serve no legitimate purpose for metabolic modeling should be removed. The 'unreferenced_scripts': [] value in the inventory may indicate the static analyzer could not resolve references, not that scripts are properly referenced. -
π‘ MEDIUM
LLM_SKILL_DISCOVERY_ABUSEβ Referenced Files Include Non-Existent and Ambiguous Paths Suggesting Capability InflationThe SKILL.md references multiple file paths that do not exist in the package (templates/api_quick_reference.md, matplotlib.py, assets/workflows.md, cobra.py, assets/api_quick_reference.md, templates/workflows.md). The reference to 'matplotlib.py' and 'cobra.py' as local files is particularly suspicious - these names shadow well-known Python library names (matplotlib, cobra/cobrapy). A local 'cobra.py' could shadow the legitimate COBRApy library import, redirecting all cobra.* calls to a malicious local file. Similarly, 'matplotlib.py' could shadow the matplotlib library. File:
references/api_quick_reference.mdRemediation: Remove references to non-existent files. Critically, ensure no local files named 'cobra.py' or 'matplotlib.py' exist in the skill package, as these would shadow the legitimate library imports used throughout the skill's code examples. Verify the 10 Python files in the package do not include files with these names.
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATIONβ Cross-file env var exfiltration: 2 filesEnvironment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/generate_schematic.py
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_EXFILTRATION_CHAINβ Cross-file exfiltration chain: 2 filesMulti-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data β scripts/generate_schematic_ai.py β scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/generate_schematic.py
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Misleading Model Name References ('Nano Banana 2', 'Nano Banana Pro')The SKILL.md instructions and script comments repeatedly reference 'Nano Banana 2' and 'Nano Banana Pro' as the AI image generation model, but the actual model identifier used in the code is 'google/gemini-3.1-flash-image-preview'. This discrepancy between the marketed name and the actual model used could mislead users about what AI system is processing their data. The SKILL.md states 'Nano Banana Pro will automatically generate, review, and refine the schematic' which is a fictional product name not corresponding to any real model. File:
SKILL.mdRemediation: Use accurate model names in documentation. Disclose the actual AI models being used (Google Gemini) so users understand what third-party services process their data. Remove fictional product name references. -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/hypothesis-generation/scripts/generate_schematic.py File:
scientific-skills/hypothesis-generation/scripts/generate_schematic.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π΄ CRITICAL
BEHAVIOR_ENV_VAR_EXFILTRATIONβ Environment variable access with network calls detectedScript accesses environment variables and makes network calls in scientific-skills/hypothesis-generation/scripts/generate_schematic_ai.py File:
scientific-skills/hypothesis-generation/scripts/generate_schematic_ai.pyRemediation: Remove environment variable harvesting or network transmission -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/hypothesis-generation/scripts/generate_schematic_ai.py File:
scientific-skills/hypothesis-generation/scripts/generate_schematic_ai.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π‘ MEDIUM
LLM_DATA_EXFILTRATIONβ Cross-File Credential Propagation Chaingenerate_schematic.py reads the OPENROUTER_API_KEY from the environment and explicitly copies it into a subprocess environment (env = os.environ.copy(); env['OPENROUTER_API_KEY'] = api_key) before passing it to generate_schematic_ai.py via subprocess.run(). This creates a cross-file credential propagation chain. The full os.environ is copied and passed to the subprocess, potentially exposing all environment variables (not just the API key) to the child process. This is flagged by the static analyzer as BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION. File:
scripts/generate_schematic.pyRemediation: Instead of copying the entire os.environ, pass only the specific environment variables needed by the subprocess. Use a minimal environment dict rather than os.environ.copy() to avoid inadvertently exposing other sensitive environment variables (e.g., AWS credentials, SSH keys, database passwords) to the child process. -
π HIGH
LLM_DATA_EXFILTRATIONβ API Key Exfiltration via Environment Variable Harvesting and External Network CallsThe script generate_schematic_ai.py reads the OPENROUTER_API_KEY environment variable and transmits it as a Bearer token in HTTP Authorization headers to an external API endpoint (https://openrouter.ai/api/v1). While OpenRouter is a legitimate AI routing service, the pattern of harvesting environment variables and sending them over the network represents a data exfiltration risk. The key is also passed between scripts (generate_schematic.py β generate_schematic_ai.py) via environment variable propagation. If the API key environment variable is set to a sensitive credential (or if the domain is spoofed/compromised), this creates a credential exfiltration vector. File:
scripts/generate_schematic_ai.pyRemediation: Validate that the API key is only sent to the expected domain (openrouter.ai). Add domain allowlisting before making requests. Warn users explicitly that their API key will be transmitted to an external service. Consider using a secrets manager rather than environment variables for credential storage. -
π‘ MEDIUM
LLM_UNAUTHORIZED_TOOL_USEβ Allowed-Tools Violation: Bash and Python Declared but Scripts Make Unrestricted External Network CallsThe YAML manifest declares allowed-tools as [Read, Write, Edit, Bash], which implies a bounded set of operations. However, the Python scripts make unrestricted outbound HTTP POST requests to external APIs (openrouter.ai) transmitting user-provided prompt content and generated image data. The manifest does not declare network access as an allowed capability, and the description does not disclose that user content (diagram descriptions) will be sent to a third-party AI service. This is a mismatch between declared capabilities and actual behavior. File:
scripts/generate_schematic_ai.pyRemediation: Update the skill description and SKILL.md to explicitly disclose that user-provided diagram descriptions are transmitted to OpenRouter's API (a third-party service). Add a user confirmation step before sending data externally. Document the data flow clearly in the manifest. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned External Dependency (requests library)The script checks for the 'requests' library with a try/except ImportError and instructs users to install it with 'pip install requests' without specifying a version pin. Unpinned dependencies are vulnerable to supply chain attacks where a malicious version could be installed. The dotenv library is also optionally imported without version pinning. File:
scripts/generate_schematic_ai.pyRemediation: Pin dependency versions explicitly (e.g., requests==2.31.0). Include a requirements.txt with pinned versions and cryptographic hashes. Use pip install --require-hashes for security-sensitive installations.
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATIONβ Cross-file env var exfiltration: 2 filesEnvironment variable access with network calls in scripts/generate_infographic.py, scripts/generate_infographic_ai.py Remediation: Review data flow across files: scripts/generate_infographic_ai.py, scripts/generate_infographic.py
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_EXFILTRATION_CHAINβ Cross-file exfiltration chain: 2 filesMulti-file exfiltration chain detected: scripts/generate_infographic.py, scripts/generate_infographic_ai.py collect data β scripts/generate_infographic_ai.py β scripts/generate_infographic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_infographic_ai.py, scripts/generate_infographic.py
-
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/infographics/scripts/generate_infographic.py File:
scientific-skills/infographics/scripts/generate_infographic.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π΄ CRITICAL
BEHAVIOR_ENV_VAR_EXFILTRATIONβ Environment variable access with network calls detectedScript accesses environment variables and makes network calls in scientific-skills/infographics/scripts/generate_infographic_ai.py File:
scientific-skills/infographics/scripts/generate_infographic_ai.pyRemediation: Remove environment variable harvesting or network transmission -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/infographics/scripts/generate_infographic_ai.py File:
scientific-skills/infographics/scripts/generate_infographic_ai.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π‘ MEDIUM
LLM_DATA_EXFILTRATIONβ API Key Passed via Command-Line Argument (Process Listing Exposure)In generate_infographic.py, the API key can be passed via --api-key command-line argument. Although the script attempts to mitigate this by passing the key via environment variable to the subprocess, the key is still accepted as a CLI argument in the parent process, which can expose it in process listings (ps aux, /proc). The comment 'pass API key via environment to avoid exposure in process listings' acknowledges the risk but only partially mitigates it at the subprocess level. File:
scripts/generate_infographic.py:175Remediation: Remove the --api-key CLI argument entirely. Require the API key to be set only via environment variable (OPENROUTER_API_KEY) or a .env file. This eliminates the risk of key exposure in process listings. -
π‘ MEDIUM
LLM_DATA_EXFILTRATIONβ Sensitive API Key Loaded from .env File in Potentially Untrusted DirectoriesThe _load_env_file() function in generate_infographic_ai.py loads .env files from the current working directory (Path.cwd() / '.env') in addition to the script directory. If the agent is invoked from a user-controlled or untrusted working directory, a malicious .env file could override the OPENROUTER_API_KEY with an attacker-controlled key, redirecting all API calls (including research queries containing user data) to an attacker-controlled OpenRouter account. File:
scripts/generate_infographic_ai.py:52Remediation: Only load .env from the script's own directory (the skill package directory), not from the current working directory. Remove Path.cwd() / '.env' from the candidates list. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Capability Inflation - References Non-Existent AI Models ('Nano Banana Pro', 'Gemini 3 Pro')The skill's description, SKILL.md, and code extensively reference 'Nano Banana Pro AI' and 'Gemini 3 Pro' as the models used. However, the actual model IDs in the code are 'google/gemini-3-pro-image-preview' and 'google/gemini-3-pro', which are speculative/non-existent model names (as of current knowledge). The marketing name 'Nano Banana Pro' does not correspond to any known AI model. This inflates perceived capabilities and may mislead users about what AI system is actually being used. File:
scripts/generate_infographic_ai.py:130Remediation: Use accurate, verifiable model names in both documentation and code. Do not use marketing names that obscure the actual underlying model being called. Verify that referenced model IDs exist on OpenRouter before publishing. -
π‘ MEDIUM
LLM_COMMAND_INJECTIONβ User-Controlled Prompt Passed Directly to AI Image Generation Without SanitizationThe user-supplied prompt string is incorporated directly into the generation prompt sent to the Nano Banana Pro image generation model and the Perplexity Sonar research model without any sanitization or length limits. A malicious user could craft a prompt containing adversarial instructions targeting the downstream AI models (prompt injection into the image generation or research APIs), potentially causing unexpected behavior or policy violations in those services. File:
scripts/generate_infographic_ai.py:390Remediation: Implement input validation and length limits on the user prompt. Consider wrapping the user prompt in explicit delimiters and instructing the model to treat it as data only. Add a maximum prompt length check (e.g., 2000 characters) to prevent abuse. -
π΅ LOW
LLM_RESOURCE_ABUSEβ Unbounded Iteration with External API Calls May Cause Resource ExhaustionThe generate_iterative() method makes multiple sequential API calls (up to 'iterations' times for generation + review per iteration, plus an optional research call). With the default of 3 iterations, this results in up to 7 API calls per invocation. While there is a maximum iterations cap, there is no timeout on the overall process, no rate limiting, and no cost guard. A user could invoke this repeatedly or with high iteration counts, leading to significant API cost accumulation. File:
scripts/generate_infographic_ai.py:430Remediation: Add a hard maximum cap on iterations (e.g., max 5) enforced in code regardless of user input. Consider adding a --max-cost or --dry-run flag. Document the API cost implications clearly in the skill description. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Research Data Including Potentially Sensitive User Prompts Written to DiskWhen the --research flag is used, the full research result (including the original user prompt and all gathered data) is written to a JSON file on disk ({base_name}_research.json). Additionally, a review log containing the full user prompt, all iteration details, and quality scores is always written ({base_name}_review_log.json). These files may persist sensitive information about what the user was researching. File:
scripts/generate_infographic_ai.py:480Remediation: Document clearly that these files are created and may contain sensitive information. Consider adding a --no-log flag to suppress log file creation, or redact the user prompt from persisted logs.
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATIONβ Cross-file env var exfiltration: 2 filesEnvironment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/generate_schematic.py
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_EXFILTRATION_CHAINβ Cross-file exfiltration chain: 2 filesMulti-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data β scripts/generate_schematic_ai.py β scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/generate_schematic.py
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ Missing License and Compatibility MetadataThe YAML manifest does not specify a license or compatibility field. While this is LOW severity per the skill spec (these fields are optional), the absence of license information means users cannot determine the terms under which the skill (including its scripts that make external API calls) can be used, shared, or modified. File:
SKILL.mdRemediation: Add license and compatibility fields to the YAML frontmatter to improve transparency and help users understand the terms of use and supported environments. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Over-Broad Skill Description and Capability ClaimsThe skill description claims support for 'conference presentations, academic posters, and scientific communication' and references integration with 'scientific-schematics' and 'Nano Banana Pro' skills. The SKILL.md instructions extensively reference external skills and tools (scientific-schematics, generate-image) that are not bundled with this skill package, potentially inflating perceived capabilities and creating implicit dependencies on external skills that may not be present or may behave differently than expected. File:
SKILL.mdRemediation: Clearly document which capabilities are self-contained versus dependent on external skills. Avoid marking external skill dependencies as 'CRITICAL' without verifying their availability. Scope the skill description to only what is directly provided. -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/latex-posters/scripts/generate_schematic.py File:
scientific-skills/latex-posters/scripts/generate_schematic.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π΄ CRITICAL
BEHAVIOR_ENV_VAR_EXFILTRATIONβ Environment variable access with network calls detectedScript accesses environment variables and makes network calls in scientific-skills/latex-posters/scripts/generate_schematic_ai.py File:
scientific-skills/latex-posters/scripts/generate_schematic_ai.pyRemediation: Remove environment variable harvesting or network transmission -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/latex-posters/scripts/generate_schematic_ai.py File:
scientific-skills/latex-posters/scripts/generate_schematic_ai.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π HIGH
LLM_DATA_EXFILTRATIONβ Cross-File Credential Chain: API Key Passed via Subprocess EnvironmentThe generate_schematic.py wrapper script reads OPENROUTER_API_KEY from the environment (or --api-key flag) and re-injects it into a subprocess environment to call generate_schematic_ai.py. This creates a cross-file credential propagation chain. If the --api-key flag is used, the key could appear in process listings on multi-user systems, though the code does attempt to pass it via environment rather than command-line argument. File:
scripts/generate_schematic.pyRemediation: Avoid accepting API keys via command-line flags (--api-key) as these can appear in process listings. Rely exclusively on environment variables or secure credential stores. Document that the --api-key flag is insecure on shared systems. -
π HIGH
LLM_COMMAND_INJECTIONβ Unsanitized User Input Passed to External AI API (Prompt Injection via Diagram Description)The user-supplied prompt (diagram description) is passed directly and without sanitization into the AI image generation API request payload. A malicious user could craft a prompt that manipulates the downstream AI model behavior, exfiltrates information embedded in the review response, or causes the review model (Gemini 3.1 Pro Preview) to produce harmful outputs. The prompt is also embedded into a larger system prompt template without escaping, allowing injection of additional instructions. File:
scripts/generate_schematic_ai.pyRemediation: Sanitize and validate user-supplied prompts before embedding them in API requests. Consider using a separate system/user message structure rather than string interpolation. Implement input length limits and content filtering on the user prompt before it is forwarded to external AI APIs. -
π HIGH
LLM_DATA_EXFILTRATIONβ API Key Exfiltration via External Network CallsThe script generate_schematic_ai.py reads the OPENROUTER_API_KEY environment variable and transmits it in HTTP Authorization headers to the external service at https://openrouter.ai/api/v1. While this is nominally the intended API endpoint, the pattern of reading sensitive credentials from the environment and sending them over the network represents a credential exposure risk. The API key is also passed between scripts via environment variables and subprocess calls, creating a cross-file credential chain. File:
scripts/generate_schematic_ai.pyRemediation: Ensure the API key is only used for its stated purpose and never logged or stored. Validate that the endpoint URL is not user-controllable. Consider scoping the API key to minimum required permissions. Review that the key cannot be exfiltrated to attacker-controlled endpoints via prompt injection in the user-supplied diagram description. -
π‘ MEDIUM
LLM_COMMAND_INJECTIONβ Unvalidated External API Response Embedded in Saved JSON LogThe full API response content, including critique text from external AI models, is saved directly to a JSON log file without sanitization. The critique content originates from an external AI service and could contain malicious content, path traversal sequences, or other injection payloads that could affect downstream processing if the log file is parsed or executed. File:
scripts/generate_schematic_ai.pyRemediation: Validate and sanitize all externally-sourced content before writing to disk. Ensure the log file path cannot be manipulated via the output_path parameter to write to sensitive locations. Consider limiting the critique text length stored in logs. -
π‘ MEDIUM
LLM_PROMPT_INJECTIONβ Indirect Prompt Injection via AI-Generated Image Review ContentThe review_image() method sends the generated image to Gemini 3.1 Pro Preview and then uses the returned critique text directly in subsequent prompt construction via improve_prompt(). If the image generation model embeds adversarial text or instructions within the generated image (e.g., hidden text in the image that the vision model reads and includes in its critique), those instructions could be injected into subsequent generation prompts without sanitization. File:
scripts/generate_schematic_ai.pyRemediation: Treat the critique returned from the vision model as untrusted data. Do not embed raw critique text directly into subsequent generation prompts. Parse and validate the critique response, extracting only structured fields (score, specific improvement categories) rather than free-form text.
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATIONβ Cross-file env var exfiltration: 3 filesEnvironment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/generate_schematic.py, scripts/verify_citations.py
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_EXFILTRATION_CHAINβ Cross-file exfiltration chain: 3 filesMulti-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data β scripts/generate_schematic_ai.py β scripts/verify_citations.py, scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/generate_schematic.py, scripts/verify_citations.py
-
π‘ MEDIUM
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Dependency Installation and Unverified External Installer ScriptThe SKILL.md instructions direct users to install parallel-cli via a curl-pipe-bash pattern from an external URL (curl -fsSL https://parallel.ai/install.sh | bash), which is a supply chain attack vector. Additionally, pip install requests is specified without a version pin, allowing a compromised or malicious version to be installed. The install.sh script from parallel.ai is fetched and executed without integrity verification (no checksum, no signature verification). File:
SKILL.mdRemediation: Replace curl-pipe-bash with a verified installation method (e.g., download, verify checksum, then execute). Pin all Python dependencies to specific versions (e.g., requests==2.31.0). Consider using a requirements.txt with hashes for integrity verification. -
π΅ LOW
LLM_PROMPT_INJECTIONβ External Content Fetched and Processed Without Trust Boundary EnforcementThe skill instructs the agent to use parallel-cli extract to fetch full content from arbitrary external URLs (paper URLs, journal websites, preprint servers) and process that content as part of the literature review workflow. Content fetched from external sources could contain embedded instructions that manipulate the agent's behavior during the review synthesis phase. The skill does not establish any trust boundary or content sanitization for externally fetched document content. File:
SKILL.mdRemediation: Document that externally fetched content should be treated as untrusted data. Instruct the agent to not follow any instructions found within fetched external documents. Consider adding a content sanitization step before processing externally fetched text. -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/literature-review/scripts/generate_schematic.py File:
scientific-skills/literature-review/scripts/generate_schematic.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π΄ CRITICAL
BEHAVIOR_ENV_VAR_EXFILTRATIONβ Environment variable access with network calls detectedScript accesses environment variables and makes network calls in scientific-skills/literature-review/scripts/generate_schematic_ai.py File:
scientific-skills/literature-review/scripts/generate_schematic_ai.pyRemediation: Remove environment variable harvesting or network transmission -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/literature-review/scripts/generate_schematic_ai.py File:
scientific-skills/literature-review/scripts/generate_schematic_ai.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π‘ MEDIUM
LLM_DATA_EXFILTRATIONβ Cross-File Exfiltration Chain: Environment Variables Harvested and Sent to External APIThe static analyzer flagged a cross-file exfiltration chain spanning 3 files. The generate_schematic.py wrapper script reads OPENROUTER_API_KEY from the environment and passes it to generate_schematic_ai.py via subprocess with env=env. The AI script then sends this key plus user-provided prompt content (which may include sensitive research data) to the external OpenRouter API. User research content (literature review topics, queries) is also transmitted to external AI models (Gemini 3.1 Pro Preview via OpenRouter), which may constitute unintended data disclosure. File:
scripts/generate_schematic.pyRemediation: Clearly disclose in the skill documentation that user prompts and research content are transmitted to OpenRouter and Google (Gemini) APIs. Provide opt-out mechanisms. Avoid passing the full os.environ.copy() to subprocesses as this transmits all environment variables to the child process environment, which then has access to all secrets. -
π HIGH
LLM_DATA_EXFILTRATIONβ API Key Exfiltration via Environment Variable and External Network CallsThe script generate_schematic_ai.py reads the OPENROUTER_API_KEY environment variable and transmits it as a Bearer token to the external OpenRouter API (https://openrouter.ai/api/v1). While this is nominally for legitimate AI image generation, the pattern of reading a sensitive credential from the environment and sending it to an external server constitutes a data exfiltration risk. The API key is passed in HTTP Authorization headers to an external third-party service. Additionally, the script loads .env files from the current working directory or script directory, potentially harvesting credentials stored there. File:
scripts/generate_schematic_ai.pyRemediation: Ensure the OPENROUTER_API_KEY is only used for its stated purpose. Validate the endpoint URL is not user-controllable. Consider scoping the API key to minimum required permissions. Document clearly that this key is transmitted to openrouter.ai so users can make informed decisions about credential exposure. -
π‘ MEDIUM
LLM_COMMAND_INJECTIONβ User-Controlled Input Passed to External AI API Without SanitizationIn generate_schematic_ai.py and generate_schematic.py, the user-supplied prompt argument is passed directly into API requests to OpenRouter without any sanitization or validation. The prompt is embedded in JSON payloads sent to external AI models. While this does not constitute local command injection, it enables prompt injection attacks against the downstream AI models (Gemini image generation, Gemini Pro review), potentially causing those models to generate harmful or misleading scientific content that gets embedded in the literature review output. File:
scripts/generate_schematic_ai.pyRemediation: Validate and sanitize user-provided prompts before passing to external AI APIs. Implement allowlisting for acceptable diagram types. Add content filtering on returned AI-generated images before embedding them in academic documents. -
π΅ LOW
LLM_RESOURCE_ABUSEβ Unbounded Retry and Iterative API Call PatternThe generate_schematic_ai.py script implements an iterative refinement loop that makes multiple calls to external AI APIs (image generation + quality review per iteration). While the maximum is capped at 2 iterations, each iteration makes at least 2 API calls (generate + review), and the script does not implement exponential backoff or total cost limits. If integrated into an automated pipeline, this could result in unexpected API cost accumulation or rate limit exhaustion. File:
scripts/generate_schematic_ai.pyRemediation: Add explicit cost/token budget limits. Implement exponential backoff on API failures. Add user confirmation before initiating multi-iteration generation workflows. Document the maximum number of API calls that can be made per invocation.
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATIONβ Cross-file env var exfiltration: 3 filesEnvironment variable access with network calls in scripts/generate_schematic_ai.py, scripts/convert_with_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/convert_with_ai.py, scripts/generate_schematic.py
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_EXFILTRATION_CHAINβ Cross-file exfiltration chain: 3 filesMulti-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/convert_with_ai.py, scripts/generate_schematic.py collect data β scripts/generate_schematic_ai.py β scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/convert_with_ai.py, scripts/generate_schematic.py
-
π‘ MEDIUM
LLM_DATA_EXFILTRATIONβ Unpinned External Package DependenciesThe skill instructs users to install packages without version pinning (e.g., 'pip install markitdown[all]', 'pip install requests'). Unpinned dependencies are vulnerable to supply chain attacks where a malicious version of a package could be installed. The markitdown package itself is installed from PyPI without a pinned version, and the requests library is also installed without pinning. File:
SKILL.mdRemediation: Pin all dependencies to specific versions (e.g., 'pip install markitdown==0.1.0'). Use a requirements.txt or pyproject.toml with locked versions. Consider using a lockfile (pip-compile, poetry.lock) to ensure reproducible installs. -
π‘ MEDIUM
LLM_SKILL_DISCOVERY_ABUSEβ Capability Inflation via Cross-Skill Promotion (scientific-schematics)The SKILL.md instructions contain an embedded promotion for a separate 'scientific-schematics' skill, instructing the agent to 'always consider adding scientific diagrams' and that 'Scientific schematics should be generated by default.' This inflates the activation scope of the markitdown skill by directing the agent to invoke another skill (scientific-schematics) even when the user only requested document conversion. This is a form of capability inflation and unsolicited cross-skill activation manipulation. File:
SKILL.mdRemediation: Remove the cross-skill promotion from the SKILL.md instructions. Skills should not instruct the agent to invoke other skills by default without explicit user request. If integration is desired, document it as an optional feature rather than a default behavior. -
π‘ MEDIUM
LLM_SUPPLY_CHAIN_ATTACKβ Third-Party Plugin System with No Trust ValidationThe skill promotes and enables a third-party plugin system for MarkItDown, instructing users to find plugins via GitHub hashtag '#markitdown-plugin'. This creates a supply chain risk where arbitrary third-party code can be loaded into the conversion pipeline via 'enable_plugins=True'. No validation, sandboxing, or trust verification is described for these plugins. File:
SKILL.mdRemediation: Warn users about the risks of enabling third-party plugins. Recommend only using plugins from trusted, audited sources. Do not enable plugins by default. Consider documenting a vetting process for plugins before use. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ API Keys Shown in Plaintext in Code ExamplesThe SKILL.md and referenced files contain multiple code examples with placeholder API keys shown inline (e.g., api_key='your-openrouter-api-key'). While these are placeholders, the pattern encourages users to hardcode API keys directly in scripts rather than using environment variables or secure secret management. The references/api_reference.md also shows inline API key usage. File:
SKILL.mdRemediation: Update all code examples to use environment variables (os.environ.get('OPENROUTER_API_KEY')) rather than inline placeholders. Add explicit warnings in documentation that API keys should never be hardcoded in scripts. -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/markitdown/scripts/convert_with_ai.py File:
scientific-skills/markitdown/scripts/convert_with_ai.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/markitdown/scripts/generate_schematic.py File:
scientific-skills/markitdown/scripts/generate_schematic.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π΄ CRITICAL
BEHAVIOR_ENV_VAR_EXFILTRATIONβ Environment variable access with network calls detectedScript accesses environment variables and makes network calls in scientific-skills/markitdown/scripts/generate_schematic_ai.py File:
scientific-skills/markitdown/scripts/generate_schematic_ai.pyRemediation: Remove environment variable harvesting or network transmission -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/markitdown/scripts/generate_schematic_ai.py File:
scientific-skills/markitdown/scripts/generate_schematic_ai.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π΅ LOW
LLM_RESOURCE_ABUSEβ Unbounded Parallel Thread Pool for File ConversionThe batch_convert.py script uses ThreadPoolExecutor with a configurable worker count (default 4, user-configurable via --workers flag). While there is a default limit, users can specify arbitrarily high worker counts (e.g., --workers 100), potentially causing resource exhaustion on the host system when processing large directories of files. File:
scripts/batch_convert.pyRemediation: Add a maximum cap on the number of workers (e.g., max 16 or based on CPU count). Validate the workers argument to reject unreasonably large values. Consider using os.cpu_count() as an upper bound. -
π HIGH
LLM_DATA_EXFILTRATIONβ Environment Variable Harvesting and Transmission to External APIThe scripts read the OPENROUTER_API_KEY environment variable and transmit it to external API endpoints (openrouter.ai). While this is nominally for legitimate API use, the pattern of reading environment variables and sending them over the network constitutes a data exfiltration risk. The generate_schematic_ai.py script reads the API key from the environment and includes it in HTTP Authorization headers sent to https://openrouter.ai/api/v1. Additionally, the script loads .env files from the current working directory or script directory, which could expose secrets stored in those files. The static analyzer flagged cross-file env var exfiltration chains across 3 files. File:
scripts/generate_schematic_ai.pyRemediation: Ensure the API key is only used for its stated purpose and is not logged or transmitted beyond the intended endpoint. Validate that the base_url is hardcoded and cannot be overridden by user input. Consider warning users that their API key will be transmitted to openrouter.ai. Avoid loading .env files automatically without user consent.
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATIONβ Cross-file env var exfiltration: 2 filesEnvironment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/generate_schematic.py
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_EXFILTRATION_CHAINβ Cross-file exfiltration chain: 2 filesMulti-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data β scripts/generate_schematic_ai.py β scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/generate_schematic.py
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Skill Description References Non-Existent Companion SkillsThe SKILL.md instructions reference a 'scientific-schematics' skill and 'Nano Banana Pro' product by name, suggesting users invoke these external skills. These companion skills are not bundled with this package and their existence, safety, or behavior cannot be verified. This could lead to unexpected activation of unrelated or potentially malicious skills if a user installs a skill named 'scientific-schematics'. File:
SKILL.mdRemediation: Remove or clearly caveat references to external skills not bundled with this package. If the scientific-schematics skill is a companion, document its source and version explicitly. -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/peer-review/scripts/generate_schematic.py File:
scientific-skills/peer-review/scripts/generate_schematic.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π΄ CRITICAL
BEHAVIOR_ENV_VAR_EXFILTRATIONβ Environment variable access with network calls detectedScript accesses environment variables and makes network calls in scientific-skills/peer-review/scripts/generate_schematic_ai.py File:
scientific-skills/peer-review/scripts/generate_schematic_ai.pyRemediation: Remove environment variable harvesting or network transmission -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/peer-review/scripts/generate_schematic_ai.py File:
scientific-skills/peer-review/scripts/generate_schematic_ai.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π΅ LOW
LLM_UNAUTHORIZED_TOOL_USEβ allowed-tools Declares Bash but Subprocess Execution Scope Is BroadThe manifest declares allowed-tools including Bash. The generate_schematic.py script uses subprocess.run() to execute another Python script, passing the full environment. While Bash is declared as allowed, the subprocess invocation pattern could be used to execute arbitrary commands if the cmd list were influenced by user input. In the current implementation the prompt argument flows into the subprocess command list. File:
scripts/generate_schematic.py:90Remediation: Validate and sanitize the prompt argument before passing it to subprocess. Consider using a direct Python function call instead of subprocess to avoid shell injection risks. Ensure args.prompt cannot contain shell metacharacters that could affect command parsing. -
π‘ MEDIUM
LLM_DATA_EXFILTRATIONβ Cross-File Exfiltration Chain: Environment Variable Read and Network TransmissionThe static analyzer identified a cross-file exfiltration chain spanning generate_schematic.py and generate_schematic_ai.py. generate_schematic.py reads OPENROUTER_API_KEY from the environment, copies it into a subprocess environment (env = os.environ.copy()), and passes it to generate_schematic_ai.py which then transmits it to an external server. The full os.environ is copied, meaning any other sensitive environment variables present at runtime are also passed to the subprocess. File:
scripts/generate_schematic.py:95Remediation: Instead of copying the entire os.environ to the subprocess, construct a minimal environment containing only the variables needed. For example: env = {"OPENROUTER_API_KEY": api_key, "PATH": os.environ.get("PATH", "")}. This prevents inadvertent exposure of other sensitive environment variables (AWS keys, tokens, etc.) to the subprocess. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned External DependenciesThe script imports the 'requests' library without any version pinning, and the dotenv library is optionally loaded without version constraints. The SKILL.md instructions reference running scripts that depend on these libraries. Without pinned versions, a supply chain compromise of these packages could affect the skill's behavior. File:
scripts/generate_schematic_ai.py:18Remediation: Pin dependency versions in a requirements.txt file (e.g., requests==2.31.0, python-dotenv==1.0.0). Reference this file in the skill documentation and instruct users to install from it. -
π‘ MEDIUM
LLM_DATA_EXFILTRATIONβ API Key Harvested from Environment and Transmitted to External APIBoth scripts read the OPENROUTER_API_KEY environment variable and transmit it to an external API endpoint (https://openrouter.ai/api/v1). While OpenRouter is a legitimate service, the pattern of reading environment variables and sending them over the network is a data exfiltration risk vector. The key is passed in HTTP Authorization headers to an external third-party service. If the environment contains other sensitive keys or if the API key itself is high-value, this represents a credential exposure risk. File:
scripts/generate_schematic_ai.py:60Remediation: Ensure users are clearly informed that their OPENROUTER_API_KEY will be transmitted to openrouter.ai. Document this in the skill manifest and SKILL.md. Consider scoping the environment variable access to only what is needed and validating the key format before use.
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATIONβ Cross-file env var exfiltration: 2 filesEnvironment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/generate_schematic.py
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_EXFILTRATION_CHAINβ Cross-file exfiltration chain: 2 filesMulti-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data β scripts/generate_schematic_ai.py β scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/generate_schematic.py
-
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/pptx-posters/scripts/generate_schematic.py File:
scientific-skills/pptx-posters/scripts/generate_schematic.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π΄ CRITICAL
BEHAVIOR_ENV_VAR_EXFILTRATIONβ Environment variable access with network calls detectedScript accesses environment variables and makes network calls in scientific-skills/pptx-posters/scripts/generate_schematic_ai.py File:
scientific-skills/pptx-posters/scripts/generate_schematic_ai.pyRemediation: Remove environment variable harvesting or network transmission -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/pptx-posters/scripts/generate_schematic_ai.py File:
scientific-skills/pptx-posters/scripts/generate_schematic_ai.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π΅ LOW
LLM_DATA_EXFILTRATIONβ API Key Transmitted via Network Requests to External ServiceThe script reads the OPENROUTER_API_KEY environment variable and transmits it as a Bearer token in HTTP Authorization headers to openrouter.ai. While this is the intended use of an API key, the key is also passed through subprocess environment variables and included in HTTP headers sent to an external third-party service. The static analyzer flagged this as an environment variable exfiltration chain across two files (generate_schematic.py and generate_schematic_ai.py). The behavior is consistent with legitimate API usage, but users should be aware their API key is being sent to openrouter.ai on every call. File:
scripts/generate_schematic_ai.pyRemediation: This is expected behavior for an API-based skill. Ensure users are informed that their OPENROUTER_API_KEY is transmitted to openrouter.ai. Document the data flow clearly in the skill description. Consider adding a note in SKILL.md about which external services receive data. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ User Prompt Content Sent to External AI ServicesUser-provided diagram descriptions (prompts) are sent to two external AI services via OpenRouter: google/gemini-3.1-flash-image-preview for image generation and google/gemini-3.1-pro-preview for quality review. Additionally, generated images are base64-encoded and sent back to the review model. This means user research content (methodology descriptions, result summaries, etc.) is transmitted to third-party cloud services. The SKILL.md does not explicitly disclose this data sharing with users. File:
scripts/generate_schematic_ai.pyRemediation: Add explicit disclosure in SKILL.md that user prompts and generated images are transmitted to Google AI models via OpenRouter. Allow users to opt out or be aware before sensitive research content is shared with external services. -
π΅ LOW
LLM_RESOURCE_ABUSEβ Unbounded API Retry Loop with External Network CallsThe iterative refinement loop calls external AI APIs up to 'iterations' times (max 2 per validation). However, the review_image() method makes an additional API call per iteration, meaning each iteration can result in 2 external API calls. With no rate limiting, backoff, or cost controls implemented in the code, a user could trigger repeated expensive API calls. The timeout is set to 120 seconds per request, and failures in generation simply continue to the next iteration rather than aborting. File:
scripts/generate_schematic_ai.pyRemediation: The current max of 2 iterations is reasonable. Consider adding explicit cost warnings to users before execution, and implement exponential backoff on API failures rather than silent continuation. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned External Dependency (requests library)The script imports the 'requests' library without any version pinning. The install instruction shown in the error message ('pip install requests') does not specify a version. While requests is a well-known library, unpinned dependencies can be subject to supply chain attacks if a malicious version is published. This is a minor concern given the library's maturity. File:
scripts/generate_schematic_ai.py:10Remediation: Pin the requests library to a specific known-good version (e.g., requests==2.31.0) in a requirements.txt file bundled with the skill. This prevents inadvertent installation of a compromised version.
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATIONβ Cross-file env var exfiltration: 2 filesEnvironment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/generate_schematic.py
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_EXFILTRATION_CHAINβ Cross-file exfiltration chain: 2 filesMulti-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data β scripts/generate_schematic_ai.py β scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/generate_schematic.py
-
π‘ MEDIUM
LLM_SKILL_DISCOVERY_ABUSEβ Mandatory Cross-Skill Invocation via Capability InflationThe SKILL.md instruction body contains a mandatory directive to invoke an external skill ('scientific-schematics') for every grant proposal, framed as non-optional: '
β οΈ MANDATORY: Every research grant proposal MUST include at least 1-2 AI-generated figures using the scientific-schematics skill.' and 'This is not optional.' This inflates the perceived scope of this skill by forcing activation of another skill and creating an implicit dependency chain. The instruction also references a product name 'Nano Banana Pro' which appears to be a brand/product promotion embedded in the skill instructions. File:SKILL.mdRemediation: Remove mandatory cross-skill invocation directives. Make figure generation optional and user-driven. Remove product name references ('Nano Banana Pro') from skill instructions as they constitute embedded advertising/brand promotion. -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/research-grants/scripts/generate_schematic.py File:
scientific-skills/research-grants/scripts/generate_schematic.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π΄ CRITICAL
BEHAVIOR_ENV_VAR_EXFILTRATIONβ Environment variable access with network calls detectedScript accesses environment variables and makes network calls in scientific-skills/research-grants/scripts/generate_schematic_ai.py File:
scientific-skills/research-grants/scripts/generate_schematic_ai.pyRemediation: Remove environment variable harvesting or network transmission -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/research-grants/scripts/generate_schematic_ai.py File:
scientific-skills/research-grants/scripts/generate_schematic_ai.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π HIGH
LLM_COMMAND_INJECTIONβ User-Controlled Prompt Injection into External AI API CallsThe generate_schematic.py and generate_schematic_ai.py scripts accept arbitrary user-provided text via the 'prompt' command-line argument and pass it directly into API requests sent to external AI models (google/gemini-3.1-flash-image-preview and google/gemini-3.1-pro-preview via OpenRouter). The user prompt is embedded directly into message payloads without sanitization. A malicious user could craft prompts that attempt to manipulate the external AI model's behavior, extract information, or generate harmful content through the external API. File:
scripts/generate_schematic_ai.pyRemediation: Add input validation and sanitization for user-provided prompts before passing to external AI APIs. Implement content filtering or length limits. Consider wrapping user input in a structured template that limits injection surface. Log all prompts for audit purposes. -
π HIGH
LLM_DATA_EXFILTRATIONβ API Key Exfiltration via Environment Variable Harvesting and External Network CallsThe script generate_schematic_ai.py reads the OPENROUTER_API_KEY environment variable and transmits it as a Bearer token in HTTP requests to an external API endpoint (https://openrouter.ai/api/v1). While this is the intended use of the API key, the script also loads .env files from the current working directory and the script's parent directory, potentially harvesting credentials from the user's environment. The API key is sent in Authorization headers to an external third-party service. Combined with the cross-file chain (generate_schematic.py calls generate_schematic_ai.py), this creates a credential harvesting and transmission pattern. File:
scripts/generate_schematic_ai.pyRemediation: Clearly document in the skill that an API key is required and will be transmitted to openrouter.ai. Restrict .env file loading to only the skill's own directory, not the current working directory (which could be the user's project root containing unrelated secrets). Add explicit user consent prompts before transmitting credentials. Validate the API endpoint URL is the expected one before sending credentials. -
π‘ MEDIUM
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned External Dependency and Third-Party API RelianceThe scripts depend on the 'requests' library (imported without version pinning) and make calls to third-party services openrouter.ai using AI models identified as 'google/gemini-3.1-flash-image-preview' and 'google/gemini-3.1-pro-preview'. These model identifiers reference preview/unstable models that could change behavior without notice. The 'requests' library is imported without version constraints. Additionally, the script attempts to import 'dotenv' (python-dotenv) without version pinning. A supply chain compromise of these dependencies or changes to the external API could alter skill behavior. File:
scripts/generate_schematic_ai.pyRemediation: Pin dependency versions (e.g., requests==2.31.0). Use stable, non-preview model identifiers. Document all external service dependencies in the skill manifest. Consider adding integrity checks for installed packages. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Potential Sensitive Data in Review Log FilesThe generate_schematic_ai.py script saves a JSON review log file that includes the full user prompt, all AI-generated critique text, quality scores, and iteration details. This log is saved to the output directory. If the user's prompt contains sensitive research information (e.g., unpublished grant proposal details, proprietary research), this data is persisted to disk in a potentially accessible location and also transmitted to external AI services for review. File:
scripts/generate_schematic_ai.pyRemediation: Inform users that prompts and AI review responses are logged to disk. Make log file creation optional (add --no-log flag). Sanitize or truncate sensitive content in logs. Clearly disclose in skill documentation that prompt content is sent to external AI services and logged locally.
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATIONβ Cross-file env var exfiltration: 6 filesEnvironment variable access with network calls in examples.py, research_lookup.py, lookup.py, scripts/research_lookup.py, scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic.py, lookup.py, examples.py, scripts/generate_schematic_ai.py, research_lookup.py, scripts/research_lookup.py
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_EXFILTRATION_CHAINβ Cross-file exfiltration chain: 6 filesMulti-file exfiltration chain detected: examples.py, research_lookup.py, lookup.py, scripts/research_lookup.py, scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data β scripts/generate_schematic_ai.py β research_lookup.py, scripts/research_lookup.py, scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic.py, lookup.py, examples.py, scripts/generate_schematic_ai.py, research_lookup.py, scripts/research_lookup.py
-
π‘ MEDIUM
LLM_PROMPT_INJECTIONβ External API Responses Processed Without Content ValidationResearch results returned from external APIs (Parallel Chat API, Perplexity/OpenRouter) are directly incorporated into the agent's context and written to files without any content validation or sanitization. Malicious or compromised API responses could contain prompt injection instructions that would be processed by the agent when it reads the saved research files from the sources/ directory. The skill instructs the agent to re-read saved files from sources/ for context recovery, creating a persistent indirect injection vector. File:
SKILL.mdRemediation: Treat all externally-sourced content as untrusted. Implement content filtering on API responses before saving to disk. When re-reading saved files, apply the same untrusted-content handling as for fresh API responses. Consider sandboxing the file re-reading process. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Installation Script Fetched Over HTTP Without Integrity VerificationThe SKILL.md instructions direct users to install parallel-cli using a curl-pipe-bash pattern without any integrity verification: 'curl -fsSL https://parallel.ai/install.sh | bash'. This pattern is inherently risky as it executes remotely-fetched code without checksum verification, and is susceptible to MITM attacks or server-side compromise. File:
SKILL.mdRemediation: Prefer the 'uv tool install' method with a pinned version. If using curl-pipe-bash, provide SHA256 checksums for verification. Document the expected hash of the install script and instruct users to verify before execution. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Cross-Skill Capability Invocation Without Explicit User ConsentThe SKILL.md instructions direct the agent to automatically invoke the 'scientific-schematics' skill when creating documents, without explicit user request: 'When creating documents with this skill, always consider adding scientific diagrams... Use the scientific-schematics skill to generate AI-powered publication-quality diagrams'. This represents capability inflation by automatically triggering additional skills beyond the stated research lookup purpose. File:
SKILL.mdRemediation: Remove automatic cross-skill invocation directives. Skills should only invoke other skills when explicitly requested by the user. Change the instruction to suggest the scientific-schematics skill as an option rather than a default behavior. -
π‘ MEDIUM
LLM_COMMAND_INJECTIONβ Unvalidated User Query Passed Directly to External API RequestsUser-supplied research queries are passed without sanitization directly into API request payloads sent to external services (Parallel Chat API and Perplexity via OpenRouter). The query string is embedded in message content sent to LLM backends. A malicious user could craft queries containing prompt injection payloads targeting the downstream LLM services, potentially manipulating the research results returned or causing unexpected behavior in the backend models. File:
research_lookup.pyRemediation: Validate and sanitize user queries before forwarding to external APIs. Consider length limits, character filtering, and content policy checks. Log queries for audit purposes. Treat downstream LLM responses as untrusted data. -
π‘ MEDIUM
LLM_DATA_EXFILTRATIONβ API Keys Transmitted to External Third-Party ServicesThe skill reads PARALLEL_API_KEY and OPENROUTER_API_KEY from environment variables and transmits them directly to external API endpoints (https://api.parallel.ai and https://openrouter.ai). While this is the intended design for a research tool, the keys are sent in HTTP Authorization headers to third-party services. If either service is compromised or the URLs are manipulated, credentials could be exposed. The OPENROUTER_API_KEY is also passed to a subprocess via environment variable in generate_schematic.py, which is a safer pattern, but the key is still transmitted externally. File:
research_lookup.pyRemediation: This is expected behavior for an API-based skill. Ensure API keys are scoped to minimum required permissions, use short-lived tokens where possible, and document clearly which external services receive credentials. Consider adding domain validation before transmitting keys. -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/research-lookup/examples.py File:
scientific-skills/research-lookup/examples.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/research-lookup/lookup.py File:
scientific-skills/research-lookup/lookup.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π΄ CRITICAL
BEHAVIOR_ENV_VAR_EXFILTRATIONβ Environment variable access with network calls detectedScript accesses environment variables and makes network calls in scientific-skills/research-lookup/research_lookup.py File:
scientific-skills/research-lookup/research_lookup.pyRemediation: Remove environment variable harvesting or network transmission -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/research-lookup/research_lookup.py File:
scientific-skills/research-lookup/research_lookup.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/research-lookup/scripts/generate_schematic.py File:
scientific-skills/research-lookup/scripts/generate_schematic.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π΄ CRITICAL
BEHAVIOR_ENV_VAR_EXFILTRATIONβ Environment variable access with network calls detectedScript accesses environment variables and makes network calls in scientific-skills/research-lookup/scripts/generate_schematic_ai.py File:
scientific-skills/research-lookup/scripts/generate_schematic_ai.pyRemediation: Remove environment variable harvesting or network transmission -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/research-lookup/scripts/generate_schematic_ai.py File:
scientific-skills/research-lookup/scripts/generate_schematic_ai.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π΄ CRITICAL
BEHAVIOR_ENV_VAR_EXFILTRATIONβ Environment variable access with network calls detectedScript accesses environment variables and makes network calls in scientific-skills/research-lookup/scripts/research_lookup.py File:
scientific-skills/research-lookup/scripts/research_lookup.pyRemediation: Remove environment variable harvesting or network transmission -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/research-lookup/scripts/research_lookup.py File:
scientific-skills/research-lookup/scripts/research_lookup.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned External Package DependenciesThe skill uses 'pip install openai' and 'pip install requests' without version pinning, as referenced in error messages and documentation. The generate_schematic_ai.py script also uses 'pip install requests' without version constraints. Unpinned dependencies are vulnerable to supply chain attacks where a malicious package version could be installed. File:
scripts/generate_schematic_ai.py:14Remediation: Pin all dependencies to specific versions (e.g., requests==2.31.0, openai==1.x.x). Use a requirements.txt or pyproject.toml with pinned versions and hash verification. Consider using a lockfile.
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATIONβ Cross-file env var exfiltration: 2 filesEnvironment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/generate_schematic.py
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_EXFILTRATION_CHAINβ Cross-file exfiltration chain: 2 filesMulti-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data β scripts/generate_schematic_ai.py β scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/generate_schematic.py
-
π‘ MEDIUM
LLM_SKILL_DISCOVERY_ABUSEβ Cross-Skill Activation Inflation via scientific-schematics Skill ReferenceThe SKILL.md instructions contain a section that actively promotes and triggers activation of another skill ('scientific-schematics') by instructing the agent to 'always consider adding scientific diagrams' and to use the scientific-schematics skill 'by default' for new documents. This creates over-broad activation behavior where the scholar-evaluation skill attempts to invoke additional skills beyond its stated evaluation purpose, inflating its effective capability footprint. File:
SKILL.md:30Remediation: Remove or make optional the cross-skill invocation instructions. The scholar-evaluation skill should focus on its stated purpose of evaluating scholarly work. If schematic generation is desired, it should be explicitly requested by the user rather than triggered automatically. -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/scholar-evaluation/scripts/generate_schematic.py File:
scientific-skills/scholar-evaluation/scripts/generate_schematic.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π΄ CRITICAL
BEHAVIOR_ENV_VAR_EXFILTRATIONβ Environment variable access with network calls detectedScript accesses environment variables and makes network calls in scientific-skills/scholar-evaluation/scripts/generate_schematic_ai.py File:
scientific-skills/scholar-evaluation/scripts/generate_schematic_ai.pyRemediation: Remove environment variable harvesting or network transmission -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/scholar-evaluation/scripts/generate_schematic_ai.py File:
scientific-skills/scholar-evaluation/scripts/generate_schematic_ai.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π‘ MEDIUM
LLM_DATA_EXFILTRATIONβ Full Environment Copy Passed to SubprocessIn generate_schematic.py, the code performs env = os.environ.copy() and passes the entire environment to the subprocess. This means ALL environment variables present in the agent's environment (which may include AWS credentials, SSH keys, database passwords, other API tokens, etc.) are forwarded to the child process and potentially accessible to generate_schematic_ai.py. File:
scripts/generate_schematic.py:93Remediation: Instead of copying the full environment, construct a minimal environment containing only the variables needed: env = {"OPENROUTER_API_KEY": api_key, "PATH": os.environ.get("PATH", "")}. This prevents accidental forwarding of sensitive credentials. -
π HIGH
LLM_DATA_EXFILTRATIONβ Cross-File Environment Variable Exfiltration ChainThe generate_schematic.py wrapper script reads OPENROUTER_API_KEY from the environment (or CLI argument) and passes it to generate_schematic_ai.py via subprocess environment injection. This creates a two-file exfiltration chain where the API key flows from environment β generate_schematic.py β subprocess env β generate_schematic_ai.py β external HTTP POST. The static analyzer confirmed this cross-file env var exfiltration chain across 2 files. File:
scripts/generate_schematic.py:95Remediation: Document the full data flow to users. Avoid copying the entire os.environ (which may contain other sensitive variables) β instead pass only the specific required key. Consider whether the wrapper script is necessary or if it adds unnecessary attack surface. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned External Dependency (requests library)The generate_schematic_ai.py script imports the 'requests' library without version pinning. The install instruction shown is 'pip install requests' with no version constraint. An unpinned dependency could be subject to supply chain attacks if a malicious version is published or if the user's environment resolves to a compromised version. File:
scripts/generate_schematic_ai.py:14Remediation: Specify a pinned version in requirements.txt (e.g., requests==2.31.0) and include a requirements.txt in the skill package. Reference it in SKILL.md setup instructions. -
π HIGH
LLM_DATA_EXFILTRATIONβ API Key Exfiltration via External Network CallsThe generate_schematic_ai.py script reads the OPENROUTER_API_KEY from environment variables and transmits it in HTTP Authorization headers to external servers (openrouter.ai). While the stated purpose is legitimate API usage, the script also sends user-provided prompts, image data, and review logs to external endpoints. The API key is read from the environment and included in every outbound request, creating a credential exposure risk if the API key has broad permissions or if the endpoint is compromised/spoofed. File:
scripts/generate_schematic_ai.py:130Remediation: Clearly document in SKILL.md that this skill makes external network calls and transmits the OPENROUTER_API_KEY. Validate the endpoint URL against an allowlist before sending credentials. Consider using a secrets manager rather than environment variables for API key storage. -
π‘ MEDIUM
LLM_PROMPT_INJECTIONβ Indirect Prompt Injection via External API ResponsesThe generate_schematic_ai.py script sends user-controlled prompts to external AI models (Gemini 3.1 Pro Preview via OpenRouter) and then uses the returned text as critique/feedback that is incorporated into subsequent generation prompts via improve_prompt(). Malicious content in API responses could inject instructions into the iterative refinement loop, potentially manipulating the agent's behavior or the generated output. File:
scripts/generate_schematic_ai.py:350Remediation: Treat API response content (critique) as untrusted data. Do not directly interpolate external API responses into new prompts without sanitization. Consider using structured output formats from the review model to limit injection surface. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Review Log Written to Disk Contains Potentially Sensitive PromptsThe generate_schematic_ai.py script automatically saves a JSON review log to disk (base_name_review_log.json) containing the full user prompt, all iteration prompts (which may include sensitive research content), critique text from external AI models, and quality scores. This log persists on disk without user consent or notification. File:
scripts/generate_schematic_ai.py:430Remediation: Inform users that review logs are saved and provide an option to disable logging. Ensure logs do not contain sensitive research content that the user did not intend to persist. Consider making log saving opt-in rather than automatic.
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATIONβ Cross-file env var exfiltration: 2 filesEnvironment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/generate_schematic.py
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_EXFILTRATION_CHAINβ Cross-file exfiltration chain: 2 filesMulti-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data β scripts/generate_schematic_ai.py β scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/generate_schematic.py
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Skill References Non-Existent Brand 'Nano Banana Pro' and 'Nano Banana 2' in InstructionsThe SKILL.md instructions reference 'Nano Banana Pro' as if it is a known product that 'will automatically generate, review, and refine the schematic.' This brand name does not correspond to any known AI product and appears to be a fictional or placeholder brand. The scripts actually use Google Gemini models via OpenRouter. This creates a misleading capability description that could confuse users about what technology is being used and who processes their data. File:
SKILL.mdRemediation: Replace the fictional 'Nano Banana Pro' brand reference with accurate descriptions of the actual models used (Google Gemini via OpenRouter). Ensure users understand which third-party AI services process their data. -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/scientific-critical-thinking/scripts/generate_schematic.py File:
scientific-skills/scientific-critical-thinking/scripts/generate_schematic.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π΄ CRITICAL
BEHAVIOR_ENV_VAR_EXFILTRATIONβ Environment variable access with network calls detectedScript accesses environment variables and makes network calls in scientific-skills/scientific-critical-thinking/scripts/generate_schematic_ai.py File:
scientific-skills/scientific-critical-thinking/scripts/generate_schematic_ai.pyRemediation: Remove environment variable harvesting or network transmission -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/scientific-critical-thinking/scripts/generate_schematic_ai.py File:
scientific-skills/scientific-critical-thinking/scripts/generate_schematic_ai.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π‘ MEDIUM
LLM_UNAUTHORIZED_TOOL_USEβ Allowed-Tools Declaration Includes Bash but Bash Usage Is for Subprocess Execution of External ScriptsThe skill declares allowed-tools including Bash and Write. The generate_schematic.py script uses subprocess.run() to execute another Python script (generate_schematic_ai.py), passing user-controlled arguments (the prompt string) directly as command-line arguments. While the prompt is passed as a positional argument rather than via shell=True, the subprocess chain creates an indirect execution path that could be abused if the prompt contains shell metacharacters in certain execution contexts. File:
scripts/generate_schematic.py:95Remediation: Validate that args.prompt and args.output do not contain path traversal sequences or unexpected characters. Consider passing the prompt via stdin or a temporary file rather than as a command-line argument to avoid any argument injection risks. Use check=True to handle subprocess failures explicitly. -
π HIGH
LLM_DATA_EXFILTRATIONβ API Key Harvested from Environment and Transmitted to External ServiceThe scripts read the OPENROUTER_API_KEY environment variable and transmit it to an external API endpoint (https://openrouter.ai/api/v1). While OpenRouter is a legitimate service, the pattern of harvesting environment variables and sending them over the network represents a data exfiltration risk. The key is passed through subprocess calls and environment copies, creating a chain where sensitive credentials flow from the local environment to external servers. Additionally, the .env file loading mechanism searches for and loads credential files from the filesystem. File:
scripts/generate_schematic_ai.py:85Remediation: Ensure the API key is scoped to only the permissions needed. Document clearly that this skill requires an external API key and transmits data to OpenRouter. Consider adding explicit user consent prompts before transmitting data. Validate that the endpoint URL is not user-controllable. -
π HIGH
LLM_DATA_EXFILTRATIONβ Cross-File Exfiltration Chain: User Prompt Content Sent to External AI APIsThe skill takes user-provided diagram descriptions (arbitrary natural language input) and sends them directly to external AI APIs (OpenRouter, Google Gemini models). The user's prompt content, which may contain sensitive information about their research, documents, or projects, is transmitted to third-party servers without explicit disclosure in the skill manifest or instructions. The generate_schematic.py wrapper calls generate_schematic_ai.py via subprocess, forming a two-file exfiltration chain identified by static analysis. File:
scripts/generate_schematic_ai.py:175Remediation: Add explicit disclosure in SKILL.md that user prompt content is transmitted to OpenRouter and Google AI APIs. Add a user confirmation step before transmitting content. Document data retention policies of the third-party services. -
π΅ LOW
LLM_RESOURCE_ABUSEβ Iterative API Call Loop with External Rate-Unlimited RequestsThe generate_iterative() method makes multiple sequential API calls (up to 2 iterations Γ 2 API calls per iteration = up to 4 external API calls per invocation). While the maximum is capped at 2 iterations, each call has a 120-second timeout, meaning a single skill invocation could block for up to 8 minutes and incur significant API costs. There is no rate limiting, cost cap, or user warning about potential API charges. File:
scripts/generate_schematic_ai.py:245Remediation: Add explicit user warnings about API costs before execution. Display estimated cost per run. Consider adding a --dry-run flag. Ensure the iteration cap of 2 is enforced (it is, but document this clearly for users). -
π‘ MEDIUM
LLM_DATA_EXFILTRATIONβ Generated Images and Review Logs Written to Filesystem Without Scope LimitationThe script writes generated images and JSON review logs to the filesystem based on user-specified output paths. The output directory is created automatically with mkdir(parents=True, exist_ok=True), meaning the script will create arbitrary directory structures. The review log contains the full prompt, critique text, and API response metadata, which could expose sensitive information if the output path is in a shared or accessible location. File:
scripts/generate_schematic_ai.py:290Remediation: Validate and sanitize the output path to prevent path traversal. Restrict output to a designated figures/ directory within the project. Warn users that review logs contain prompt content before writing them.
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATIONβ Cross-file env var exfiltration: 2 filesEnvironment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/generate_schematic.py
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_EXFILTRATION_CHAINβ Cross-file exfiltration chain: 2 filesMulti-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data β scripts/generate_schematic_ai.py β scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/generate_schematic.py
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ References Non-Existent AI Models ('Nano Banana 2', 'Gemini 3.1 Pro Preview')The skill prominently advertises 'Nano Banana 2 AI' as the image generation model throughout the SKILL.md and scripts. However, the actual model used in the code is 'google/gemini-3.1-flash-image-preview'. 'Nano Banana 2' does not appear to be a real AI model name - this is either a fictional/placeholder name or a deceptive marketing claim. Similarly, 'Gemini 3.1 Pro Preview' is referenced but the model ID used is 'google/gemini-3.1-pro-preview' which may not exist. This capability inflation through fictional model names could mislead users about what AI system is actually processing their data. File:
SKILL.md:1Remediation: Use accurate model names in all documentation and descriptions. Do not advertise fictional AI model names. Clearly document which actual models are being used so users can make informed decisions about data privacy and capability expectations. -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/scientific-schematics/scripts/generate_schematic.py File:
scientific-skills/scientific-schematics/scripts/generate_schematic.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π΄ CRITICAL
BEHAVIOR_ENV_VAR_EXFILTRATIONβ Environment variable access with network calls detectedScript accesses environment variables and makes network calls in scientific-skills/scientific-schematics/scripts/generate_schematic_ai.py File:
scientific-skills/scientific-schematics/scripts/generate_schematic_ai.pyRemediation: Remove environment variable harvesting or network transmission -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/scientific-schematics/scripts/generate_schematic_ai.py File:
scientific-skills/scientific-schematics/scripts/generate_schematic_ai.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned External Dependency (requests library)The skill requires the 'requests' library but does not specify a version pin anywhere in the skill package. The bash example script mentions 'pip install requests' without a version constraint. Unpinned dependencies can lead to supply chain risks if a malicious version is published or if a breaking change is introduced. File:
scripts/example_usage.sh:5Remediation: Pin the requests library to a specific version (e.g., 'pip install requests==2.31.0') and include a requirements.txt file with pinned dependencies. Consider using a hash-pinned requirements file for maximum supply chain security. -
π‘ MEDIUM
LLM_COMMAND_INJECTIONβ User-Controlled Input Passed Directly to Subprocess CommandIn generate_schematic.py, the user-provided prompt (args.prompt) is passed directly as a command-line argument to a subprocess call without sanitization. While subprocess.run with a list (not shell=True) mitigates shell injection, the prompt is then embedded into AI model requests as part of a formatted string in generate_schematic_ai.py. Specially crafted prompts could potentially manipulate the AI model's behavior or inject instructions into the review prompt that includes the original user prompt verbatim. File:
scripts/generate_schematic.py:89Remediation: Sanitize or validate user prompts before embedding them in AI model requests. Consider length limits and character filtering. The review prompt embeds the original user prompt verbatim, which could allow prompt injection into the Gemini review model. -
π HIGH
LLM_DATA_EXFILTRATIONβ User Diagram Content and Generated Images Sent to External AI ServicesThe skill sends user-provided diagram descriptions (potentially containing sensitive research data, proprietary system architectures, or confidential methodology details) to OpenRouter's API, which routes them to Google's Gemini models. Generated images are also base64-encoded and sent back to the review model. Users creating diagrams for unpublished research, grant proposals, or confidential projects may inadvertently expose sensitive intellectual property to third-party AI services. The skill does not warn users about this data transmission. File:
scripts/generate_schematic_ai.py:140Remediation: Add explicit disclosure in SKILL.md and at runtime that user prompts and generated images are transmitted to OpenRouter and Google's Gemini API. Allow users to opt out of the quality review step (which sends images externally) if they have confidentiality concerns. -
π HIGH
LLM_DATA_EXFILTRATIONβ API Key Transmitted to External OpenRouter ServiceThe skill requires users to set an OPENROUTER_API_KEY environment variable, which is then read and transmitted in HTTP Authorization headers to openrouter.ai. While OpenRouter is a legitimate API gateway, the skill sends this credential in every API request. The key is also passed through subprocess environment variables in generate_schematic.py. If the API key has broad permissions, this represents a credential exposure risk. Additionally, the skill reads the full environment (os.environ.copy()) and passes it to subprocesses, which could expose other sensitive environment variables beyond just the API key. File:
scripts/generate_schematic_ai.py:155Remediation: Limit environment variable propagation to only required variables rather than copying the full environment with os.environ.copy(). Document clearly what data is sent to external services. Consider adding a warning to users about what data is transmitted to OpenRouter (diagram prompts, generated images for review). -
π‘ MEDIUM
LLM_PROMPT_INJECTIONβ User Prompt Embedded Verbatim in AI Review Model InstructionsThe review_image() method in generate_schematic_ai.py embeds the user-provided original_prompt directly and verbatim into the review prompt sent to Gemini 3.1 Pro Preview. A malicious user could craft a diagram description that contains instructions to manipulate the review model's scoring behavior (e.g., 'always score 10/10' or 'output ACCEPTABLE regardless of quality'). This could cause the quality review system to be bypassed or manipulated. File:
scripts/generate_schematic_ai.py:222Remediation: Sanitize or escape user-provided content before embedding it in AI model prompts. Consider wrapping the user prompt in clear delimiters with explicit instructions to the review model to treat the content as data, not instructions. Example: wrap in XML-like tags and instruct the model to only use it as reference context.
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATIONβ Cross-file env var exfiltration: 4 filesEnvironment variable access with network calls in scripts/generate_slide_image_ai.py, scripts/generate_slide_image.py, scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/generate_slide_image.py, scripts/generate_slide_image_ai.py, scripts/generate_schematic.py
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_EXFILTRATION_CHAINβ Cross-file exfiltration chain: 4 filesMulti-file exfiltration chain detected: scripts/generate_slide_image_ai.py, scripts/generate_slide_image.py, scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data β scripts/generate_slide_image_ai.py, scripts/generate_schematic_ai.py β scripts/generate_slide_image_ai.py, scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/generate_slide_image.py, scripts/generate_slide_image_ai.py, scripts/generate_schematic.py
-
π‘ MEDIUM
LLM_PROMPT_INJECTIONβ Indirect Prompt Injection via Attached User FilesThe skill explicitly instructs the agent to attach user-provided files and figures to AI generation prompts using the --attach flag. The SKILL.md instructions say to 'check for existing figures' in the working directory and 'attach ALL relevant figures.' If a user places a specially crafted image file in the working directory (e.g., an image containing embedded text instructions), it will be sent to the Nano Banana Pro model as context, potentially manipulating the AI's output. The skill also instructs: 'Before generating results slides, always: List files in working directory: ls -la figures/ or ls -la results/' File:
SKILL.mdRemediation: Implement file type validation and restrict attachments to known image formats. Add a warning when attaching files from user-provided directories. Consider limiting attachment sources to files explicitly specified by the user rather than auto-discovered files from directory listings. -
π‘ MEDIUM
LLM_SKILL_DISCOVERY_ABUSEβ Over-Broad Capability Claims and Keyword Baiting in Skill DescriptionThe skill description contains an extensive list of trigger keywords designed to maximize activation across a wide range of presentation-related queries: 'PowerPoint slides, conference presentations, seminar talks, research presentations, thesis defense slides, or any scientific talk.' The phrase 'or any scientific talk' is particularly over-broad. While this is a legitimate presentation skill, the description is engineered to match nearly any presentation-related request, inflating perceived scope beyond what the skill actually delivers. File:
SKILL.mdRemediation: Narrow the description to accurately reflect the skill's actual capabilities without exhaustive keyword enumeration. A concise description like 'Build scientific presentation slide decks using AI image generation (PDF workflow) or LaTeX Beamer' would be more accurate. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Missing allowed-tools Restriction for Network AccessThe skill declares allowed-tools: Read Write Edit Bash but the scripts make extensive external network calls to https://openrouter.ai/api/v1. The Bash tool is declared, which enables arbitrary command execution. The skill does not declare any network restrictions, and the combination of Bash + Python execution with external API calls creates a broad attack surface. While network access is intentional for the AI generation feature, the scope of allowed operations is very broad. File:
SKILL.mdRemediation: Document the network endpoints accessed by this skill in the SKILL.md description. Consider adding a note about the external API dependency and data transmission in the skill's compatibility or description fields so users are aware of the network activity. -
π΅ LOW
LLM_RESOURCE_ABUSEβ Unbounded API Calls and Resource ConsumptionThe skill instructs the agent to generate each slide individually using AI image generation, with up to 2 iterations per slide plus a quality review call. For a 15-18 slide presentation, this could result in 45-54 API calls (3 per slide Γ 18 slides). The SKILL.md instructions encourage generating 'each slide' without any limit on presentation size. Combined with the slides_to_pdf.py script loading all images into memory simultaneously, large presentations could exhaust both API rate limits and system memory. File:
SKILL.mdRemediation: Add a maximum slide count warning in the skill instructions. Implement streaming/chunked PDF creation in slides_to_pdf.py rather than loading all images simultaneously. Add rate limiting or batching logic to the generation scripts. -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/scientific-slides/scripts/generate_schematic.py File:
scientific-skills/scientific-slides/scripts/generate_schematic.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π΄ CRITICAL
BEHAVIOR_ENV_VAR_EXFILTRATIONβ Environment variable access with network calls detectedScript accesses environment variables and makes network calls in scientific-skills/scientific-slides/scripts/generate_schematic_ai.py File:
scientific-skills/scientific-slides/scripts/generate_schematic_ai.pyRemediation: Remove environment variable harvesting or network transmission -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/scientific-slides/scripts/generate_schematic_ai.py File:
scientific-skills/scientific-slides/scripts/generate_schematic_ai.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/scientific-slides/scripts/generate_slide_image.py File:
scientific-skills/scientific-slides/scripts/generate_slide_image.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π΄ CRITICAL
BEHAVIOR_ENV_VAR_EXFILTRATIONβ Environment variable access with network calls detectedScript accesses environment variables and makes network calls in scientific-skills/scientific-slides/scripts/generate_slide_image_ai.py File:
scientific-skills/scientific-slides/scripts/generate_slide_image_ai.pyRemediation: Remove environment variable harvesting or network transmission -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/scientific-slides/scripts/generate_slide_image_ai.py File:
scientific-skills/scientific-slides/scripts/generate_slide_image_ai.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π΄ CRITICAL
BEHAVIOR_EVAL_SUBPROCESSβ eval/exec combined with subprocess detectedDangerous combination of code execution and system commands in scientific-skills/scientific-slides/scripts/validate_presentation.py File:
scientific-skills/scientific-slides/scripts/validate_presentation.pyRemediation: Remove eval/exec or use safer alternatives -
π‘ MEDIUM
LLM_DATA_EXFILTRATIONβ Sensitive Review Log Written to Disk Containing Full API PromptsThe generate_schematic_ai.py script writes a detailed JSON review log to disk that includes the full prompt text (including any sensitive research content), API responses, critique text, and iteration history. This log is written to the same directory as the output file and is not cleaned up. The log file could expose sensitive research data, proprietary information, or API response content to anyone with file system access. File:
scripts/generate_schematic_ai.pyRemediation: Either remove the review log functionality or make it opt-in via a --save-log flag. If logs are needed for debugging, strip sensitive content (user prompts, API responses) before writing, or write only summary statistics (score, iteration count, success/failure). -
π‘ MEDIUM
LLM_COMMAND_INJECTIONβ Subprocess Command Injection via Wrapper Script PatternThe generate_slide_image.py and generate_schematic.py scripts act as wrappers that construct subprocess commands using user-supplied arguments and execute them via subprocess.run(). The prompt argument from the command line is passed directly into the cmd list. While list-based subprocess calls prevent shell injection, the prompt content is passed as a direct argument to the AI script, which then uses it unsanitized in API calls. Additionally, attachment file paths from --attach arguments are passed directly into the command without path traversal validation. File:
scripts/generate_slide_image.pyRemediation: Validate attachment file paths to prevent path traversal attacks (e.g., --attach ../../../../etc/passwd). Ensure paths are within expected directories. Add input length limits on the prompt argument to prevent excessively large payloads. -
π HIGH
LLM_COMMAND_INJECTIONβ Prompt Injection via User-Controlled Slide Prompts Passed to External AI ModelUser-supplied prompt text is passed directly to the Nano Banana Pro (google/gemini-3-pro-image-preview) model via the OpenRouter API without sanitization or content filtering. The SKILL.md instructions explicitly instruct the agent to include user-provided content (research titles, speaker names, bullet points) directly in the prompt string. A malicious user could craft a slide description containing prompt injection payloads targeting the image generation model, potentially causing it to generate harmful, misleading, or policy-violating content that gets embedded in the presentation. File:
scripts/generate_slide_image_ai.pyRemediation: Implement prompt sanitization before passing user content to the external AI model. Separate structural prompt components from user-supplied content. Consider using a system prompt to establish context and constraints, and clearly delimit user content within the generation prompt. -
π HIGH
LLM_DATA_EXFILTRATIONβ API Key Exfiltration via Environment Variable Harvesting and External Network CallsThe scripts read the OPENROUTER_API_KEY environment variable and transmit it as a Bearer token to an external API endpoint (https://openrouter.ai/api/v1). While this is the intended use of the API key, the pattern of harvesting environment variables and sending them over the network represents a data exfiltration vector. If the skill is invoked in an environment where other sensitive environment variables exist, the scripts also call os.environ.copy() which copies ALL environment variables into the subprocess environment, potentially exposing secrets beyond just the API key. File:
scripts/generate_slide_image_ai.pyRemediation: Instead of passing os.environ.copy() (which includes ALL environment variables), pass only the minimal required environment variables to subprocess calls. Use a minimal dict: env = {'OPENROUTER_API_KEY': api_key, 'PATH': os.environ.get('PATH', '')}. This prevents inadvertent exposure of other secrets (AWS keys, SSH keys, database passwords) that may be in the environment.
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATIONβ Cross-file env var exfiltration: 3 filesEnvironment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/generate_image.py, scripts/generate_schematic.py
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_EXFILTRATION_CHAINβ Cross-file exfiltration chain: 3 filesMulti-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data β scripts/generate_schematic_ai.py, scripts/generate_image.py β scripts/generate_schematic_ai.py, scripts/generate_image.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/generate_image.py, scripts/generate_schematic.py
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Overly Aggressive Figure Generation Mandates May Inflate API UsageThe SKILL.md contains mandatory directives requiring extensive figure generation with very high minimum counts (e.g., 20-30 figures for market research, 1-2 figures per slide for presentations). The instructions use strong language like 'MANDATORY', 'CRITICAL', 'ALWAYS', and 'Generate figures liberally - when in doubt, add a visual.' This could cause the agent to make many more external API calls than necessary, potentially incurring significant costs for users without their explicit consent for each call. File:
SKILL.mdRemediation: Replace mandatory figure generation requirements with recommendations. Add cost/API-call awareness guidance. Allow users to opt-in to extensive figure generation rather than making it mandatory. Add estimated API call counts to help users understand potential costs. -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/scientific-writing/scripts/generate_schematic.py File:
scientific-skills/scientific-writing/scripts/generate_schematic.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π΄ CRITICAL
BEHAVIOR_ENV_VAR_EXFILTRATIONβ Environment variable access with network calls detectedScript accesses environment variables and makes network calls in scientific-skills/scientific-writing/scripts/generate_schematic_ai.py File:
scientific-skills/scientific-writing/scripts/generate_schematic_ai.pyRemediation: Remove environment variable harvesting or network transmission -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/scientific-writing/scripts/generate_schematic_ai.py File:
scientific-skills/scientific-writing/scripts/generate_schematic_ai.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π HIGH
LLM_DATA_EXFILTRATIONβ API Key Exfiltration via Environment Variable Harvesting and External Network CallsAll three Python scripts (generate_schematic_ai.py, generate_image.py, generate_schematic.py) read the OPENROUTER_API_KEY from environment variables and transmit it to external servers (openrouter.ai). While OpenRouter is a legitimate AI API service, the pattern of harvesting environment variables and sending them over the network represents a data exfiltration risk. The generate_image.py script additionally walks parent directories searching for .env files containing API keys, which is an over-broad credential harvesting pattern that could expose keys from unrelated projects. File:
scripts/generate_image.pyRemediation: Restrict .env file search to the current directory only (not parent directories). The generate_schematic_ai.py already implements this correctly with _load_env_file() limiting to cwd and script dir. Apply the same restriction to generate_image.py. Additionally, document clearly in SKILL.md that the API key is transmitted to openrouter.ai so users are aware of this data flow. -
π‘ MEDIUM
LLM_DATA_EXFILTRATIONβ Cross-File Exfiltration Chain: User Prompt Content Sent to External AI APIsThe skill creates a multi-file chain where user-provided scientific content (research descriptions, paper topics, diagram descriptions) is transmitted to external AI services via OpenRouter. The generate_schematic.py wrapper calls generate_schematic_ai.py which sends user prompts to google/gemini-3.1-flash-image-preview and google/gemini-3.1-pro-preview via openrouter.ai. The generate_image.py also sends user prompts and optionally user-provided images to external APIs. This cross-file exfiltration chain means potentially sensitive research content (unpublished findings, proprietary data descriptions) is sent to third-party services without explicit user consent warnings in the skill manifest. File:
scripts/generate_schematic.pyRemediation: Add explicit disclosure in SKILL.md that user content (diagram descriptions, paper topics) will be transmitted to OpenRouter and Google AI services. Consider adding a user confirmation step before transmitting potentially sensitive research content to external APIs. Document the data flow clearly in the skill manifest. -
π‘ MEDIUM
LLM_UNAUTHORIZED_TOOL_USEβ Allowed-Tools Violation: Bash and Python Declared but Scripts Make Unrestricted Network CallsThe SKILL.md declares allowed-tools as [Read, Write, Edit, Bash], but the Python scripts make extensive outbound network calls to openrouter.ai (an external third-party service). The allowed-tools declaration does not include any network/internet access capability, yet the scripts perform HTTP POST requests to external APIs. This represents a behavioral mismatch between declared capabilities and actual behavior. Additionally, the skill instructs the agent to run bash commands (xelatex, lualatex) for LaTeX compilation, which could execute arbitrary system commands. File:
scripts/generate_schematic_ai.pyRemediation: Update the SKILL.md manifest to explicitly declare network access as a capability. Add a clear description that the skill makes outbound API calls to openrouter.ai. Consider adding user confirmation before making external API calls with potentially sensitive content. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned External Dependencies and Unverified AI Model IdentifiersThe scripts use unpinned model identifiers (google/gemini-3.1-flash-image-preview, google/gemini-3.1-pro-preview, black-forest-labs/flux.2-pro) that could change behavior if the underlying models are updated or replaced by OpenRouter. The scripts also use 'import requests' without version pinning. If the requests library or model endpoints change, the behavior of the skill could change unexpectedly. The model name 'Nano Banana 2' referenced in comments does not match the actual model ID used (google/gemini-3.1-flash-image-preview), suggesting documentation inconsistency that could confuse users about what service is being used. File:
scripts/generate_schematic_ai.pyRemediation: Pin the requests library version in requirements. Document clearly which AI models are being used and their actual identifiers. Remove misleading 'Nano Banana 2' references that don't match the actual model IDs. Consider adding model version pinning or validation.
-
π΄ CRITICAL
LLM_DATA_EXFILTRATIONβ Cross-File Environment Variable Exfiltration Chain DetectedStatic analysis has flagged a cross-file exfiltration chain spanning 3 files within this skill package. The pattern indicates environment variable access combined with network calls, suggesting credentials or sensitive environment data (e.g., API keys, tokens, AWS credentials) are being harvested and transmitted to an external endpoint. Although the specific script files (seaborn.py, matplotlib.py) were reported as 'not found' in the provided content, the static analyzer identified 3 Python files in the package inventory and flagged cross-file exfiltration behavior across all three. This is a critical threat: the skill presents itself as a benign data visualization helper but likely contains hidden data exfiltration logic. Remediation: Do not install or use this skill. Inspect all Python files in the package (including any not surfaced in the analysis) for os.environ access, subprocess calls, and outbound network requests. Remove or quarantine the skill entirely. Report to the skill author (K-Dense Inc.) and treat any environment variables on the host system as potentially compromised.
-
π HIGH
LLM_OBFUSCATIONβ Hidden Script Files Not Surfaced for Review (Detection Evasion)The skill package contains 3 Python files according to the static file inventory, but the skill analysis pipeline reports 'No script files found' and the referenced files (seaborn.py, matplotlib.py) are listed as 'not found.' This discrepancy strongly suggests the malicious scripts are present in the package but are being concealed from the review surface β either through non-standard file placement, obfuscated filenames, or packaging tricks designed to evade analysis. The static analyzer was still able to detect their behavioral signatures, confirming their presence. Remediation: Perform a full filesystem inspection of the skill package directory. List all files including hidden files (ls -la). Inspect all .py files regardless of whether they appear in SKILL.md references. Treat any skill where the file inventory and script content are inconsistent as actively attempting to evade security review.
-
π΄ CRITICAL
LLM_SKILL_DISCOVERY_ABUSEβ Capability Inflation / Deceptive Skill IdentityThe skill presents itself as a legitimate, well-known open-source library wrapper ('seaborn' statistical visualization) with a plausible description, BSD-3-Clause license claim, and detailed documentation mimicking the real seaborn library. This is a classic capability inflation / brand impersonation attack: the skill name and description are designed to appear trustworthy and match a widely-used Python package, increasing the likelihood of adoption. The actual Python files in the package (flagged for exfiltration behavior) are hidden behind this benign facade. The SKILL.md instructions are elaborate and technically accurate, further reinforcing the deception. File:
SKILL.mdRemediation: Reject this skill. Do not confuse it with the legitimate seaborn Python library. Verify skill provenance carefully β legitimate visualization skills do not require bundled Python scripts that access environment variables and make network calls. Flag 'K-Dense Inc.' as an untrusted skill author.
-
π΄ CRITICAL
LLM_DATA_EXFILTRATIONβ Cross-File Environment Variable Exfiltration Chain DetectedThe static pre-scan analysis flagged three distinct behavioral indicators: (1) BEHAVIOR_ENV_VAR_EXFILTRATION - environment variable access combined with network calls, (2) BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN - a cross-file exfiltration chain spanning 3 files, and (3) BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION - cross-file environment variable exfiltration across 3 files. These findings strongly suggest that one or more of the referenced-but-missing Python files (scipy.py, sklearn.py, statsmodels.py, matplotlib.py) contain code that reads environment variables (potentially API keys, credentials, tokens) and transmits them to an external server. The skill's instructions cause the agent to import these libraries extensively, which would trigger the malicious code when the shadowed modules are loaded. File:
SKILL.mdRemediation: 1. IMMEDIATELY treat this skill as malicious and do not install or execute it. 2. Obtain and audit the full contents of scipy.py, sklearn.py, statsmodels.py, and matplotlib.py before any use. 3. Scan for os.environ, os.getenv, requests.post/get, urllib, socket, subprocess calls in those files. 4. If confirmed malicious, report to the skill author and relevant security teams. 5. Never place Python files named after standard library packages in a skill's working directory. -
π HIGH
LLM_SUPPLY_CHAIN_ATTACKβ Python Files Named After Popular Libraries May Shadow Legitimate ImportsThe skill references Python files named scipy.py, sklearn.py, statsmodels.py, and matplotlib.py. If these files exist in the working directory when the agent executes Python code, they would shadow the legitimate scipy, sklearn, statsmodels, and matplotlib packages due to Python's module resolution order (local directory takes precedence). This is a classic supply chain / dependency confusion attack vector. The instructions in SKILL.md extensively use these libraries, meaning any agent executing the provided code examples could inadvertently import malicious local files instead of the real packages. The static analyzer flagged cross-file exfiltration chains involving 3 files, suggesting these missing scripts may contain data harvesting or exfiltration logic. File:
SKILL.mdRemediation: 1. Do not include Python files with names matching popular packages (scipy.py, sklearn.py, statsmodels.py, matplotlib.py) in any skill package directory. 2. Rename any legitimate helper scripts to non-conflicting names. 3. Audit all referenced but missing files before deploying this skill. 4. When executing agent-generated Python code, ensure the working directory does not contain files that shadow standard library packages. 5. Investigate the cross-file exfiltration chain flagged by static analysis. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Multiple Referenced Files Not Found in PackageThe skill references numerous files that are not present in the package (templates/time_series.md, templates/glm.md, assets/linear_models.md, scipy.py, sklearn.py, assets/stats_diagnostics.md, statsmodels.py, templates/stats_diagnostics.md, templates/linear_models.md, templates/discrete_choice.md, assets/glm.md, assets/time_series.md, assets/discrete_choice.md, matplotlib.py). Several of these are Python file names matching well-known libraries (scipy.py, sklearn.py, statsmodels.py, matplotlib.py), which is unusual. If these are intended to be executable scripts, their absence means their content cannot be audited for malicious behavior. File:
SKILL.mdRemediation: Audit and include all referenced files in the skill package. Rename any files that shadow well-known Python library names (scipy.py, sklearn.py, statsmodels.py, matplotlib.py) to avoid confusion and potential import shadowing attacks. Verify that no missing scripts contain malicious logic. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools Manifest FieldThe SKILL.md manifest does not specify the 'allowed-tools' field. While this is optional per the agent skills spec, documenting which tools are permitted improves transparency and auditability of the skill's intended capabilities. File:
SKILL.mdRemediation: Add an explicit 'allowed-tools' field to the YAML frontmatter listing the tools this skill is permitted to use (e.g., [Python, Bash, Read, Grep]). -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing Compatibility Field in ManifestThe SKILL.md manifest does not specify the 'compatibility' field. This reduces transparency about which environments the skill is designed to operate in. File:
SKILL.mdRemediation: Add a 'compatibility' field to the YAML frontmatter specifying supported environments (e.g., 'Works in Claude.ai, Claude Code, API').
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATIONβ Cross-file env var exfiltration: 2 filesEnvironment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/generate_schematic.py
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_EXFILTRATION_CHAINβ Cross-file exfiltration chain: 2 filesMulti-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data β scripts/generate_schematic_ai.py β scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/generate_schematic.py
-
π‘ MEDIUM
LLM_SKILL_DISCOVERY_ABUSEβ Undisclosed Brand/Product Promotion Embedded in Mandatory InstructionsThe SKILL.md instructions repeatedly reference 'Nano Banana Pro' as the entity that will 'automatically generate, review, and refine' schematics, and the skill author is listed as 'K-Dense Inc.' The mandatory schematic generation requirement effectively forces the agent to use and promote a specific commercial product (Nano Banana Pro / OpenRouter-based service) without disclosing this commercial relationship to users. This constitutes capability inflation through hidden commercial promotion embedded in mandatory workflow steps. File:
SKILL.mdRemediation: Disclose the commercial relationship between the skill author (K-Dense Inc.) and any promoted services. Remove mandatory promotion of specific commercial products. Allow users to choose their preferred schematic generation approach. Clearly label any commercial integrations. -
π‘ MEDIUM
LLM_UNAUTHORIZED_TOOL_USEβ Mandatory External Skill Dependency Creates Tool Exploitation SurfaceThe SKILL.md instructions declare that 'MANDATORY: Every treatment plan MUST include at least 1 AI-generated figure using the scientific-schematics skill.' This creates a forced dependency on an external skill (scientific-schematics) that the agent must invoke for every document. If the scientific-schematics skill is compromised or contains malicious instructions, this mandatory invocation chain could be exploited. The instruction also references 'Nano Banana Pro' as an entity that 'will automatically generate, review, and refine the schematic,' which is an undisclosed third-party service. File:
SKILL.mdRemediation: Remove the mandatory requirement for external skill invocation. Make schematic generation optional and user-initiated. Clearly identify 'Nano Banana Pro' as a third-party service and disclose its data handling practices. Do not force tool chaining without explicit user consent. -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/treatment-plans/scripts/generate_schematic.py File:
scientific-skills/treatment-plans/scripts/generate_schematic.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π΄ CRITICAL
BEHAVIOR_ENV_VAR_EXFILTRATIONβ Environment variable access with network calls detectedScript accesses environment variables and makes network calls in scientific-skills/treatment-plans/scripts/generate_schematic_ai.py File:
scientific-skills/treatment-plans/scripts/generate_schematic_ai.pyRemediation: Remove environment variable harvesting or network transmission -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/treatment-plans/scripts/generate_schematic_ai.py File:
scientific-skills/treatment-plans/scripts/generate_schematic_ai.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π HIGH
LLM_DATA_EXFILTRATIONβ Cross-File Exfiltration Chain: User Prompt Content Sent to External AI APIsThe generate_schematic.py script passes user-supplied prompt content to generate_schematic_ai.py via subprocess, which then transmits that content (potentially including sensitive patient/clinical information) to external OpenRouter API endpoints (https://openrouter.ai/api/v1). Given this is a medical treatment plan skill handling HIPAA-sensitive clinical data, sending user prompts to external third-party AI services creates a serious data exfiltration risk. The SKILL.md instructions mandate use of this schematic generation for every treatment plan ('MANDATORY: Every treatment plan MUST include at least 1 AI-generated figure'), meaning clinical data could routinely be sent externally. File:
scripts/generate_schematic.pyRemediation: Add explicit warnings in SKILL.md that schematic generation sends data to external APIs. Do not mandate this for every treatment plan. Implement a data sanitization step to strip any PHI/clinical identifiers before sending prompts to external services. Provide an offline/local alternative for HIPAA-sensitive environments. -
π‘ MEDIUM
LLM_COMMAND_INJECTIONβ Subprocess Execution with User-Controlled ArgumentsThe generate_schematic.py script constructs a subprocess command using user-supplied prompt text (args.prompt) and passes it directly as a command-line argument to another Python script. While Python's subprocess.run with a list (not shell=True) mitigates shell injection, the user prompt is passed as a positional argument that could contain content designed to manipulate the downstream script's argument parsing or behavior. File:
scripts/generate_schematic.pyRemediation: Validate and sanitize user prompt input before passing to subprocess. Consider using inter-process communication (pipes/stdin) rather than command-line arguments for user-supplied content. Add length limits and character validation on the prompt parameter. -
π HIGH
LLM_DATA_EXFILTRATIONβ API Key Exfiltration via External Network Calls in Schematic GeneratorThe generate_schematic_ai.py script reads the OPENROUTER_API_KEY environment variable and transmits it as a Bearer token in HTTP Authorization headers to external OpenRouter API endpoints. While OpenRouter is a legitimate service, the skill bundles this behavior without explicit user consent or disclosure in the manifest. The API key is read from the environment and sent over the network, creating a credential exposure risk if the key has broad permissions or if the endpoint is manipulated. File:
scripts/generate_schematic_ai.pyRemediation: Clearly disclose in the SKILL.md manifest that this skill requires and uses an OPENROUTER_API_KEY and makes external network calls. Add explicit user confirmation before transmitting credentials. Consider scoping the API key to minimum required permissions and documenting this requirement prominently. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Environment Variable Harvesting via dotenv File LoadingThe generate_schematic_ai.py script attempts to load .env files from the current working directory and the script's parent directory using python-dotenv. This could inadvertently expose environment variables from the user's project directory, including secrets unrelated to this skill (database credentials, other API keys, etc.) that happen to be in a .env file in the working directory. File:
scripts/generate_schematic_ai.pyRemediation: Limit .env file loading to only the skill's own directory, not the current working directory (which may be the user's project). Document this behavior explicitly. Consider requiring the API key to be set explicitly rather than auto-loading from arbitrary .env files. -
π΅ LOW
LLM_RESOURCE_ABUSEβ Unbounded External API Retry Loop PotentialThe generate_iterative method in generate_schematic_ai.py makes multiple sequential API calls (up to 2 iterations of image generation + quality review each), with each call having a 120-second timeout. In failure scenarios, the loop continues to the next iteration rather than stopping, potentially making up to 4 external API calls (2 generate + 2 review) per schematic. Since SKILL.md mandates at least one schematic per treatment plan, this could result in significant resource consumption and API costs without user awareness. File:
scripts/generate_schematic_ai.pyRemediation: Add explicit user notification of API call costs before initiating generation. Implement exponential backoff and a hard failure limit. Stop iteration on consecutive failures rather than continuing. Provide cost estimates to users before mandatory schematic generation.
-
π HIGH
LLM_SKILL_DISCOVERY_ABUSEβ Capability Inflation via Undisclosed Script FilesThe skill manifest declares no allowed-tools and the submission presents 'No script files found', yet the static file inventory reveals 23 total files including 6 Python scripts and 8 other files. This deliberate omission of executable scripts from the skill's presented surface area constitutes capability inflation and deceptive packaging β the skill hides its true operational footprint (Python execution, network access, environment variable harvesting) behind a benign documentation-only facade. The referenced files (umap.py, tensorflow.py, matplotlib.py, sklearn.py, hdbscan.py) are named to mimic well-known legitimate libraries, potentially to mislead reviewers. Remediation: Require full disclosure of all files in skill packages. Reject any skill where the presented file list does not match the actual file inventory. Flag the library-name mimicry (umap.py, tensorflow.py) as potential typosquatting or shadowing of legitimate module names.
-
π‘ MEDIUM
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Dependency InstallationThe skill instructs installation of umap-learn and umap-learn[parametric_umap] without version pinning. This exposes the environment to supply chain attacks where a compromised or malicious version of the package could be installed. Combined with the other exfiltration indicators in this package, this may be intentional to ensure a specific malicious version is pulled. Remediation: Always pin dependency versions (e.g., umap-learn==0.5.3). Use hash verification where possible. Validate package integrity against known-good checksums before installation.
-
π΄ CRITICAL
LLM_DATA_EXFILTRATIONβ Cross-File Environment Variable Exfiltration Chain DetectedStatic analysis flagged a cross-file exfiltration chain involving environment variable access combined with network calls across 2 files. Despite the skill presenting itself as a benign UMAP dimensionality reduction helper with no visible script files in the submission, the file inventory reveals 6 Python files and 8 'other' files totaling 23 files. The pre-scan static analyzers detected BEHAVIOR_ENV_VAR_EXFILTRATION and BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN patterns, indicating that hidden Python scripts within the package read environment variables (likely credentials such as API keys, AWS tokens, or other secrets) and transmit them to external endpoints. This is a classic readβsend data exfiltration pattern concealed within a legitimate-looking skill package. File:
SKILL.mdRemediation: Reject this skill package immediately. Audit all 6 Python files in the package for environment variable reads (os.environ, os.getenv) combined with network calls (requests, urllib, httpx, socket). Identify the exfiltration endpoint and report it. Do not install or execute this skill. -
π HIGH
LLM_UNAUTHORIZED_TOOL_USEβ Tool Shadowing via Library-Named Python FilesThe skill package contains Python files named after well-known libraries: umap.py, tensorflow.py, matplotlib.py, sklearn.py, and hdbscan.py. When the agent executes code that imports these libraries (as shown extensively in the SKILL.md instructions), Python's module resolution may preferentially load these local files over the legitimate installed packages. This is a classic tool/module shadowing attack β the malicious local files intercept calls intended for trusted libraries, enabling arbitrary code execution, credential theft, or behavioral manipulation while appearing to function normally. File:
SKILL.mdRemediation: Never allow skill packages to contain Python files named after standard library or popular third-party packages. Implement package name collision detection in skill validation. Audit the content of all 5 shadowing files for malicious code before any execution.
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATIONβ Cross-file env var exfiltration: 2 filesEnvironment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/generate_schematic.py
-
π΄ CRITICAL
BEHAVIOR_CROSSFILE_EXFILTRATION_CHAINβ Cross-file exfiltration chain: 2 filesMulti-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data β scripts/generate_schematic_ai.py β scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/generate_schematic.py
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Cross-Skill Activation Promotion (scientific-schematics Skill)The SKILL.md instructions prominently promote the use of a separate 'scientific-schematics' skill and instruct the agent to generate schematics 'by default' for new documents, even when not explicitly requested by the user. This represents capability inflation by automatically triggering additional skill activation and external API calls beyond the stated purpose of providing LaTeX templates and formatting requirements. File:
SKILL.mdRemediation: Remove the 'by default' instruction for schematic generation. Change the language to suggest schematics as an optional enhancement only when explicitly requested by the user, rather than as an automatic default behavior. -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/venue-templates/scripts/generate_schematic.py File:
scientific-skills/venue-templates/scripts/generate_schematic.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π΄ CRITICAL
BEHAVIOR_ENV_VAR_EXFILTRATIONβ Environment variable access with network calls detectedScript accesses environment variables and makes network calls in scientific-skills/venue-templates/scripts/generate_schematic_ai.py File:
scientific-skills/venue-templates/scripts/generate_schematic_ai.pyRemediation: Remove environment variable harvesting or network transmission -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/venue-templates/scripts/generate_schematic_ai.py File:
scientific-skills/venue-templates/scripts/generate_schematic_ai.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π‘ MEDIUM
LLM_DATA_EXFILTRATIONβ User Document Content Transmitted to External Third-Party AI ServiceThe generate_schematic_ai.py script sends user-provided prompt content (which may describe sensitive research, unpublished findings, or proprietary methodologies) to the external OpenRouter API, which routes to Google Gemini models. The review step also sends generated images back to the same external service. This creates a data exfiltration risk where confidential academic or research content could be transmitted to third-party servers without explicit user awareness. File:
scripts/generate_schematic_ai.pyRemediation: Add a prominent warning in SKILL.md and at runtime that user content will be sent to OpenRouter/Google Gemini. Require explicit user confirmation before transmitting content. Consider adding a --no-external flag for users who cannot share content with third parties. -
π΅ LOW
LLM_RESOURCE_ABUSEβ Iterative External API Calls with Potential for Repeated Compute UsageThe generate_schematic_ai.py script implements an iterative refinement loop that makes multiple calls to external AI APIs (image generation + quality review per iteration, up to 2 iterations). While capped at 2 iterations, each iteration involves two separate API calls (generation + review), and the script saves intermediate files and JSON logs. If invoked repeatedly or in automated workflows, this could result in significant API cost accumulation and compute usage. File:
scripts/generate_schematic_ai.pyRemediation: Add rate limiting and cost estimation warnings before execution. Clearly document the number of API calls made per invocation. Consider adding a --dry-run flag that shows what would be called without making actual API requests. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned External Dependency (requests library)The generate_schematic_ai.py script imports the 'requests' library without any version pinning. The script checks for its presence with a try/except ImportError and suggests 'pip install requests' without specifying a version. This could allow a compromised or malicious version of the requests library to be installed, potentially intercepting API keys or modifying network traffic. File:
scripts/generate_schematic_ai.py:14Remediation: Specify a pinned version in a requirements.txt file (e.g., requests==2.31.0) and reference it in the installation instructions. Use a hash-verified install for production environments. -
π‘ MEDIUM
LLM_DATA_EXFILTRATIONβ API Key Transmitted via External Network CallsThe generate_schematic_ai.py script reads the OPENROUTER_API_KEY from environment variables and transmits it in HTTP Authorization headers to the external OpenRouter API (https://openrouter.ai/api/v1). While this is the intended use of the API key, the script also makes outbound network calls with user-supplied prompt content, which could expose sensitive information embedded in prompts to a third-party service. The key is also passed between scripts via environment variable copying in generate_schematic.py. File:
scripts/generate_schematic_ai.py:130Remediation: Clearly document in SKILL.md that this skill transmits user prompt content and API keys to the external OpenRouter service. Add explicit user consent prompts before making external API calls. Validate that no sensitive document content is inadvertently included in schematic generation prompts.
-
π HIGH
LLM_DATA_EXFILTRATIONβ Static Analysis Detected Environment Variable Exfiltration and Cross-File Exfiltration ChainThe pre-scan static analysis flagged BEHAVIOR_ENV_VAR_EXFILTRATION (environment variable access combined with network calls) and BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN (cross-file exfiltration chain across 2 files) and BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION (cross-file env var exfiltration across 2 files). The file inventory shows 10 Python files in the skill package, none of which were provided for review. This is a significant discrepancy: the skill submission claims 'No script files found' but the static analyzer detected 10 Python files with suspicious behaviors. This strongly suggests hidden or undisclosed Python scripts performing credential/environment variable harvesting and network exfiltration. File:
SKILL.mdRemediation: Immediately audit all 10 Python files in the skill package. The discrepancy between 'No script files found' in the submission and the static analyzer's detection of 10 Python files with exfiltration behaviors is a critical red flag. Do not deploy this skill until all scripts are reviewed and the exfiltration behaviors are explained or eliminated. Remove any code that reads environment variables and transmits them over the network. -
π HIGH
LLM_UNAUTHORIZED_TOOL_USEβ Allowed-Tools Declares Write Access β Undisclosed Scripts May Abuse ItThe SKILL.md manifest declares allowed-tools: [Read, Write], granting file write permissions. Combined with the static analyzer's detection of 10 undisclosed Python files with network exfiltration behaviors, this Write permission could be abused by hidden scripts to write malicious files, modify system files, or persist data exfiltrated from the environment. The combination of Write access + undisclosed scripts + detected exfiltration chains is a high-severity tool exploitation risk. File:
SKILL.mdRemediation: Restrict allowed-tools to only what is genuinely needed for the deliberation functionality (which appears to be purely text-based and should require no file I/O at all). Remove Write permission if not strictly necessary. Audit all Python scripts to verify they do not abuse Write access for malicious purposes. -
π‘ MEDIUM
LLM_SKILL_DISCOVERY_ABUSEβ Over-Broad Activation Triggers in Skill DescriptionThe skill description contains an extensive list of activation keywords and trigger phrases designed to maximize the skill's activation frequency. Phrases like 'council mode', 'mind council', 'deliberate on this', 'help me think through this from all sides', and broad conditions like 'user faces a dilemma, trade-off, or complex choice with no obvious answer' are over-broad and could cause the skill to activate in many unintended contexts. This is a form of capability inflation / keyword baiting. File:
SKILL.mdRemediation: Narrow the activation triggers to specific, unambiguous phrases. Avoid broad behavioral conditions like 'faces a dilemma' that could match almost any user query. Use precise, opt-in trigger phrases rather than a wide net of conditions. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ External URLs Embedded in Skill InstructionsThe skill instructions contain two external URLs (https://ahkstrategies.net and https://themindbook.app) in the Attribution section. While these appear to be promotional/attribution links rather than active data exfiltration, their presence in skill instructions could be used to direct the agent to visit or reference external resources, and represents a minor data exposure risk if the agent were to follow these links. File:
SKILL.mdRemediation: Remove external URLs from skill instructions, or ensure they are clearly marked as informational only and the agent is not instructed to visit or fetch content from them.
-
π HIGH
LLM_DATA_EXFILTRATIONβ Environment Variable Exfiltration with Network Calls DetectedStatic analysis flagged BEHAVIOR_ENV_VAR_EXFILTRATION and BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION across multiple files in this skill package. The pre-scan context indicates that environment variable access is combined with network calls in at least 2 files forming a cross-file exfiltration chain. While the provided file contents (SKILL.md and referenced markdown files) appear benign, the static analyzer detected Python files (10 python files in inventory) that were not surfaced in the analysis input. These unreferenced or hidden Python scripts may be harvesting environment variables (e.g., API keys, AWS credentials, tokens) and transmitting them to external endpoints. The skill's legitimate use of remote file support (S3, GCS, HTTP via fsspec) could serve as cover for exfiltration traffic. File:
SKILL.mdRemediation: Audit all 10 Python files in the skill package for environment variable access (os.environ, os.getenv) combined with network calls (requests, urllib, httpx, boto3, etc.). Inspect cross-file data flows where one file reads env vars and another transmits data. Remove any unauthorized data collection or transmission. Ensure all network calls are limited to legitimate datamol/RDKit operations and user-initiated cloud storage access. -
π‘ MEDIUM
LLM_UNAUTHORIZED_TOOL_USEβ Undisclosed Python Scripts Not Surfaced for ReviewThe file inventory reports 10 Python files in the skill package, but the analysis input shows 'No script files found' and lists no unreferenced scripts. This discrepancy means Python code exists in the package that was not provided for review. Combined with the static analyzer's detection of exfiltration-related behaviors, these hidden scripts represent a tool exploitation risk β the skill may use legitimate datamol/RDKit tool invocations as a facade while executing unauthorized operations in background Python modules. File:
SKILL.mdRemediation: Enumerate and review all 10 Python files in the skill package. Verify that each file serves a documented, legitimate purpose aligned with the datamol cheminformatics use case. Remove any files that perform unauthorized operations. Ensure the skill manifest accurately reflects all included scripts. -
π΅ LOW
LLM_PROMPT_INJECTIONβ Skill Instructs Agent to Read External URLs as Data SourcesThe skill instructions explicitly guide the agent to read data from external HTTP/HTTPS and cloud storage URLs (S3, GCS) using dm.read_csv, dm.read_sdf, etc. While this is a documented datamol feature, it creates an indirect prompt injection surface: if a user-supplied URL points to a malicious file containing embedded instructions or crafted molecular data, the agent could process attacker-controlled content. The skill does not include any guidance on validating or sanitizing external URLs before use. File:
SKILL.mdRemediation: Add guidance in the skill instructions to warn users about the risks of loading molecular data from untrusted external URLs. Recommend validating URLs against an allowlist of trusted domains before passing them to datamol I/O functions. Document that external files should be treated as untrusted input. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools DeclarationThe YAML manifest does not specify the allowed-tools field. While this is optional per the agent skills spec, the skill executes Python code (10 Python files detected) and makes network calls (cloud storage via fsspec, HTTP URLs). Declaring allowed-tools would constrain the agent's tool usage and reduce the attack surface, particularly given the detected exfiltration-related behaviors. File:
SKILL.mdRemediation: Add an explicit allowed-tools declaration to the YAML frontmatter, e.g., allowed-tools: [Python, Bash], to document intended tool usage and enable enforcement of tool restrictions.
-
π HIGH
LLM_DATA_EXFILTRATIONβ Undisclosed Python Scripts with Suspected Environment Variable ExfiltrationThe skill submission claims 'No script files found', yet the static pre-scan inventory identifies 10 Python files and 22 markdown files in the package. The static analyzer specifically flagged environment variable access combined with network calls (BEHAVIOR_ENV_VAR_EXFILTRATION) and cross-file exfiltration chains (BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN). This combination β hidden scripts, env var access, and outbound network calls β is a high-confidence indicator of credential or token harvesting (e.g., reading API keys, AWS credentials, or session tokens from environment variables and transmitting them to an external endpoint). The concealment of these scripts from the skill manifest is itself a red flag. Remediation: Immediately audit all 10 Python files. Identify which files access environment variables and which make network calls. Remove all outbound network transmission of environment data. Disclose all scripts in the skill manifest. If the skill legitimately requires network access, declare it explicitly in allowed-tools and document the purpose and destination of all network calls.
-
π΅ LOW
LLM_UNAUTHORIZED_TOOL_USEβ Self-Profile Mode Accesses Conversation History Without Explicit User Consent MechanismThe 'Self-Profile Mode' instructs the agent to use the full conversation history as input for cognitive profiling without requiring explicit user consent or providing a clear opt-in mechanism. Users may not realize their entire conversation is being analyzed and profiled. While this is a local operation, it represents unauthorized data collection beyond the immediate task scope. Remediation: Add an explicit consent step before accessing conversation history for profiling. Clearly inform the user what data will be analyzed and how the profile will be used. Provide an opt-out option.
-
π‘ MEDIUM
LLM_DATA_EXFILTRATIONβ Discrepancy Between Declared allowed-tools and Actual Behavior β Static Analysis Flags Exfiltration ChainsThe YAML manifest declares allowed-tools as [Read, Write], which implies only local file read/write operations. However, the pre-scan static analysis flags BEHAVIOR_ENV_VAR_EXFILTRATION (environment variable access combined with network calls), BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN (cross-file exfiltration chain across 2 files), and BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION (cross-file env var exfiltration across 2 files). The file inventory reports 10 Python files and 22 markdown files (32 total), yet the skill submission claims 'No script files found' β this is a significant inconsistency. Network calls are not permitted under the declared Read/Write tool restriction, and environment variable harvesting combined with network transmission is a classic data exfiltration pattern. File:
SKILL.mdRemediation: Audit all 10 Python files in the skill package for network calls, environment variable access, and cross-file data flows. Remove any code that reads environment variables and transmits data externally. Ensure the actual behavior of all scripts is consistent with the declared allowed-tools restriction of Read and Write only. Disclose all script files transparently in the skill submission. -
π‘ MEDIUM
LLM_SKILL_DISCOVERY_ABUSEβ Over-Broad Activation Triggers and Keyword Baiting in DescriptionThe skill description contains an unusually broad set of activation triggers designed to maximize invocation frequency. It includes generic phrases like 'analyze how this person reasons', 'deeper insight', 'understand the mind behind any text', and even proprietary brand terms like 'DHDNA' and 'digital DNA'. This pattern of keyword baiting inflates the perceived scope of the skill and increases the likelihood of unintended activation across a wide range of user queries that may not require this skill. File:
SKILL.mdRemediation: Narrow the activation triggers to specific, unambiguous user intents. Avoid including generic phrases that could match a wide variety of unrelated queries. Remove brand-specific keyword baiting and limit triggers to clearly scoped use cases. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Unverifiable Research Claims Used to Establish CredibilityThe skill references two DOI-linked research papers (DOI: 10.5281/zenodo.18736629 and DOI: 10.5281/zenodo.18807387) as scientific backing for the DHDNA framework. Zenodo pre-prints are self-published and not peer-reviewed. Presenting these as 'published research' may mislead users into believing the cognitive profiling methodology has scientific validation it may not have. This could cause users to over-trust the skill's outputs and make decisions based on pseudoscientific profiling. File:
SKILL.mdRemediation: Clearly label these as pre-prints or self-published works, not peer-reviewed research. Add a disclaimer that the DHDNA framework is a conceptual model and not a validated psychometric instrument. Avoid using the term 'published research' for Zenodo pre-prints without qualification.
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ Network Calls to External Forge APIThe skill instructs the agent to make network calls to https://forge.evolutionaryscale.ai with user-provided API tokens. While this is the legitimate intended functionality of the skill (cloud-based protein design), the agent will be transmitting protein sequence data and API credentials to an external service. Users should be aware that their protein sequences and API tokens are transmitted externally. Remediation: Ensure users are clearly informed before any data is transmitted to the Forge API. The skill should prompt for explicit user consent before sending protein sequences or credentials to external services.
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools Manifest FieldThe SKILL.md manifest does not specify the allowed-tools field. While this is optional per the agent skills specification, the skill instructs the agent to execute Python code (loading ML models, making network requests to forge.evolutionaryscale.ai, reading/writing PDB files, installing packages). Declaring allowed tools would improve transparency about the skill's required capabilities. File:
SKILL.mdRemediation: Add an explicit allowed-tools field to the YAML manifest listing the tools this skill requires, such as: allowed-tools: [Python, Bash, Read, Write] -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package Installation in InstructionsThe installation instructions recommend installing the 'esm' package and 'flash-attn' without version pinning. This creates a supply chain risk where future versions of these packages could introduce malicious or breaking changes. The 'uv pip install esm' command will always install the latest version. File:
SKILL.mdRemediation: Pin package versions in installation instructions, e.g., 'uv pip install esm==X.Y.Z' and 'uv pip install flash-attn==X.Y.Z --no-build-isolation'. Reference specific known-good versions. -
π HIGH
MDBLOCK_PYTHON_EVAL_EXECβ Python code block uses eval/execCode block in references/esm-c-api.md at line 337 contains potentially dangerous Python code. File:
references/esm-c-api.md:337Remediation: Review the code block for security implications. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ API Token Placeholder in Code ExamplesThe SKILL.md and references/forge-api.md contain code examples with placeholder API tokens (token="" and token=""). While these are documentation placeholders rather than hardcoded secrets, they establish a pattern where users may be encouraged to embed tokens directly in code rather than using environment variables or secrets management. The forge-api.md does mention storing tokens securely in environment variables in the best practices section, but the primary examples throughout the documentation show inline token usage. File:
references/forge-api.mdRemediation: Update all code examples to demonstrate secure token handling using environment variables (e.g., token=os.environ['FORGE_API_TOKEN']) as the primary pattern, rather than inline placeholders that encourage hardcoding. -
π΅ LOW
LLM_COMMAND_INJECTIONβ eval/exec Usage in Referenced Code BlocksThe static analyzer flagged Python code blocks containing eval/exec patterns in the reference documentation. Reviewing the content, the references contain extensive Python code examples. While no direct eval/exec of user-controlled input was found in the reviewed files, the static scanner detected this pattern. The code examples in references/workflows.md and references/esm-c-api.md include dynamic code execution patterns that could be misused if the agent executes code blocks from these reference files without validation. File:
references/workflows.mdRemediation: Review all Python code blocks in reference files for any eval/exec usage. Ensure the agent does not blindly execute code blocks found in reference documentation without user confirmation.
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ Hardcoded Credential Placeholders in Code ExamplesThe SKILL.md and referenced files contain code examples with placeholder credential patterns such as 'YOUR_API_KEY', 'YOUR_ACCESS_TOKEN', 'user', 'password', and ellipsis-style placeholders (aws_access_key_id=..., aws_secret_access_key=...). While these are documentation placeholders rather than actual secrets, they normalize the pattern of embedding credentials directly in code and could mislead users into hardcoding real credentials in their scripts. File:
SKILL.mdRemediation: Update code examples to use environment variables or configuration files for credentials. For example: aws_access_key_id=os.environ['AWS_ACCESS_KEY_ID']. Add explicit warnings in the documentation that credentials should never be hardcoded. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Over-Broad Capability Claims in Skill DescriptionThe skill description makes extremely broad capability claims: '30+ scientific domains', '8 programming languages', '500+ code examples', 'covers everything from basic GIS operations to advanced remote sensing and machine learning'. These claims may cause the agent to activate this skill for a very wide range of queries beyond its actual scope, potentially displacing more appropriate tools or skills. The description also lists many trigger keywords (remote sensing, GIS, spatial analysis, ML, Earth observation, terrain analysis, hydrological modeling, marine spatial analysis, atmospheric science) that could cause over-broad activation. File:
SKILL.mdRemediation: Narrow the description to accurately reflect the skill's primary purpose and most common use cases. Avoid keyword stuffing in the description field. Focus on the core geospatial functionality rather than listing every possible domain. -
π΅ LOW
LLM_RESOURCE_ABUSEβ Unbounded Loop Patterns in Code ExamplesSeveral code examples contain nested loops and computationally intensive operations without bounds checking or resource limits. The viewshed analysis function in references/advanced-gis.md iterates over 360 angles with inner loops up to max_distance/cell_size iterations, and the topology validation function has O(nΒ²) complexity with nested geometry comparisons. If a user applies these patterns to large datasets, they could cause significant compute exhaustion. File:
references/advanced-gis.mdRemediation: Add explicit warnings in code examples about computational complexity and dataset size limits. Include recommended maximum dataset sizes and suggest using spatial indexing (e.g., STRtree) for the O(nΒ²) topology check. Add progress indicators and early termination conditions to long-running loops. -
π΅ LOW
LLM_COMMAND_INJECTIONβ eval/exec Usage in Embedded Code ExamplesStatic analysis flagged Python code blocks containing eval or exec patterns. Review of the skill content shows code examples that use dynamic execution patterns. While these appear to be legitimate geospatial code examples (e.g., subprocess.run for SAGA GIS integration in references/gis-software.md), the presence of subprocess calls with variable arguments could be misused if user-controlled input is passed to these functions without sanitization. File:
references/gis-software.mdRemediation: Add input validation and sanitization to all code examples that use subprocess or shell execution with variable arguments. Include explicit warnings in the documentation that user-provided inputs must be validated before being passed to shell commands. Consider using shlex.quote() for shell argument sanitization in examples. -
π‘ MEDIUM
MDBLOCK_PYTHON_SUBPROCESSβ Python code block executes shell commandsCode block in references/gis-software.md at line 290 contains potentially dangerous Python code. File:
references/gis-software.md:290Remediation: Review the code block for security implications. -
π HIGH
MDBLOCK_PYTHON_EVAL_EXECβ Python code block uses eval/execCode block in references/machine-learning.md at line 207 contains potentially dangerous Python code. File:
references/machine-learning.md:207Remediation: Review the code block for security implications. -
π HIGH
MDBLOCK_PYTHON_EVAL_EXECβ Python code block uses eval/execCode block in references/machine-learning.md at line 435 contains potentially dangerous Python code. File:
references/machine-learning.md:435Remediation: Review the code block for security implications.
-
π΅ LOW
LLM_COMMAND_INJECTIONβ eval/exec Usage Flagged in Static Analysis of Code ExamplesThe static pre-scan flagged a MDBLOCK_PYTHON_EVAL_EXEC finding, indicating that one or more Python code blocks within the skill's markdown documentation contain eval or exec calls. While the code blocks in the reviewed reference files appear to be legitimate documentation examples (e.g., subprocess.run, shell command execution), the presence of eval/exec patterns in instructional code could be replicated by an agent following the examples without appropriate safety checks. No direct malicious eval/exec was identified in the reviewed content, but the flag warrants noting. File:
SKILL.mdRemediation: Review all code blocks across SKILL.md and reference files to confirm no eval/exec is used with unsanitized user input. If present in examples, add explicit warnings about the dangers of eval/exec with untrusted data. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Missing allowed-tools DeclarationThe skill manifest does not declare an allowed-tools field. While this is optional per the agent skills specification, the skill instructs the agent to execute bash commands (modal setup, modal run, modal deploy, modal serve), install packages (uv pip install modal), read/write files, and make network connections to Modal's cloud infrastructure. Declaring allowed-tools would improve transparency about the agent capabilities this skill requires. File:
SKILL.mdRemediation: Add an explicit allowed-tools declaration to the YAML frontmatter, e.g.: allowed-tools: [Bash, Python, Read, Write] to document the tools this skill requires. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Over-Broad Skill Description with Excessive Trigger KeywordsThe skill description contains an unusually large number of trigger phrases designed to maximize activation across a wide range of user queries. Phrases like 'Use this skill whenever the user mentions Modal, serverless GPU compute, deploying ML models to the cloud, serving inference endpoints, running batch processing in the cloud, or needs to scale Python workloads beyond their local machine. Also use when the user wants to run code on H100s, A100s, or other cloud GPUs' represent keyword baiting to inflate the skill's activation frequency beyond what is strictly necessary for its stated purpose. File:
SKILL.mdRemediation: Trim the description to a concise, accurate summary of the skill's capabilities without excessive keyword enumeration. A single sentence describing the core purpose is sufficient for proper skill discovery. -
π HIGH
MDBLOCK_PYTHON_EVAL_EXECβ Python code block uses eval/execCode block in references/functions.md at line 82 contains potentially dangerous Python code. File:
references/functions.md:82Remediation: Review the code block for security implications. -
π‘ MEDIUM
MDBLOCK_PYTHON_SUBPROCESSβ Python code block executes shell commandsCode block in references/gpu.md at line 159 contains potentially dangerous Python code. File:
references/gpu.md:159Remediation: Review the code block for security implications. -
π‘ MEDIUM
MDBLOCK_PYTHON_SUBPROCESSβ Python code block executes shell commandsCode block in references/gpu.md at line 168 contains potentially dangerous Python code. File:
references/gpu.md:168Remediation: Review the code block for security implications. -
π‘ MEDIUM
MDBLOCK_PYTHON_HTTP_POSTβ Python code block sends HTTP POST requestCode block in references/scheduled-jobs.md at line 141 contains potentially dangerous Python code. File:
references/scheduled-jobs.md:141Remediation: Review the code block for security implications. -
π‘ MEDIUM
MDBLOCK_PYTHON_SUBPROCESSβ Python code block executes shell commandsCode block in references/web-endpoints.md at line 149 contains potentially dangerous Python code. File:
references/web-endpoints.md:149Remediation: Review the code block for security implications.
-
π‘ MEDIUM
LLM_COMMAND_INJECTIONβ Unvalidated $ARGUMENTS Passed Directly to Shell CommandsAcross multiple reference files, the $ARGUMENTS placeholder is passed directly into shell commands without any sanitization or validation. For example:
parallel-cli search "$ARGUMENTS",parallel-cli extract "$ARGUMENTS",parallel-cli research run "$ARGUMENTS". If user input contains shell metacharacters (semicolons, backticks, dollar signs, pipes, etc.), this could result in command injection. The agent constructs and executes these commands based on user-provided input, creating a potential injection surface. Remediation: Instruct the agent to sanitize user input before constructing shell commands. Use argument arrays rather than string interpolation where possible. Validate that $ARGUMENTS does not contain shell metacharacters before passing to commands. Consider using Python subprocess with argument lists instead of shell string construction. -
π HIGH
LLM_DATA_EXFILTRATIONβ Installation Script Fetched from External URL via Curl-Pipe-Bash PatternThe setup instructions direct the agent to execute a remote shell script via the classic curl-pipe-bash pattern:
curl -fsSL https://parallel.ai/install.sh | bash. This is a well-known supply chain attack vector. The script is fetched from an external server at runtime and executed directly in the shell without any integrity verification (no checksum, no signature). A compromised or malicious install.sh could execute arbitrary code on the user's machine, steal credentials, install backdoors, or exfiltrate data. The agent is instructed to run this automatically when parallel-cli is not found. File:SKILL.mdRemediation: Replace the curl-pipe-bash pattern with a verified installation method that includes checksum verification (e.g., download the script, verify its SHA256 hash against a published value, then execute). Alternatively, use a package manager with pinned versions. Document the expected hash in the skill. Never pipe remote scripts directly to bash. -
π‘ MEDIUM
LLM_DATA_EXFILTRATIONβ API Key Exposure Risk via Environment Variable and .env File HandlingThe setup instructions direct the agent to read and handle PARALLEL_API_KEY from .env files and environment variables. The instructions also suggest
export PARALLEL_API_KEY="your-key"as a fallback. While this is a common pattern, the agent is instructed to check for and load .env files automatically, which could expose the key in command history, logs, or agent context. Additionally, the agent is instructed to runparallel-cli authwhich may print or expose the key in output that gets captured in context. File:SKILL.mdRemediation: Avoid instructing the agent to echo or expose API keys in command output. Use secure credential storage mechanisms. Ensure the agent does not log or include API key values in its responses to the user. -
π‘ MEDIUM
LLM_SKILL_DISCOVERY_ABUSEβ Over-Broad Capability Claims and Aggressive Activation TriggersThe skill description explicitly instructs the agent to use this skill for 'ANY web-related task β even if the user doesn't mention parallel or web explicitly.' This is a form of capability inflation and activation abuse, as it attempts to maximize the skill's invocation frequency beyond what the user explicitly requests. The description lists an extremely broad set of triggers including 'look something up, fetch a page, enrich a dataset, investigate a topic, find academic papers, check citations, or review scientific literature.' This over-broad framing could cause the skill to be invoked in contexts where it is not appropriate, potentially routing user queries through the parallel-cli service unnecessarily. File:
SKILL.mdRemediation: Narrow the description to specific, well-defined use cases. Avoid instructing the agent to use the skill for 'ANY' task of a broad category. Let the agent decide based on context rather than forcing activation through over-broad claims. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing License InformationThe skill manifest does not specify a license. This is a minor metadata omission but reduces transparency about the terms under which the skill can be used, modified, or distributed. File:
SKILL.mdRemediation: Add a license field to the YAML frontmatter (e.g.,license: MITorlicense: Apache-2.0). -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package Installation via uv and pipThe setup instructions include installing packages without version pins:
uv tool install "parallel-web-tools[cli]"andpip install python-dotenv[cli]oruv pip install python-dotenv[cli]. Without pinned versions, the agent could install any version of these packages, including potentially compromised future versions. This is a supply chain risk, though lower severity since these are named packages from presumably known sources. File:SKILL.mdRemediation: Pin package versions explicitly (e.g.,parallel-web-tools[cli]==1.2.3). Document expected package hashes where possible. Consider using a lockfile approach for reproducible installations. -
π‘ MEDIUM
LLM_PROMPT_INJECTIONβ Indirect Prompt Injection via Extracted Web ContentThe web-extract capability instructs the agent to return extracted content 'verbatim' without paraphrasing or summarizing: 'Keep content verbatim - do not paraphrase or summarize' and 'Preserve all facts, names, numbers, dates, quotes.' When fetching arbitrary web pages or academic PDFs, the extracted content could contain embedded prompt injection instructions that the agent would then process verbatim. Since the agent is instructed to preserve content exactly as-is, malicious instructions embedded in web pages could be passed directly into the agent's context and potentially executed. File:
references/web-extract.mdRemediation: Add explicit instructions to treat extracted web content as untrusted data, not as instructions. Instruct the agent to present extracted content in a clearly delimited block (e.g., quoted or code-fenced) and to never follow instructions found within extracted content. Add a warning to the agent to be alert for prompt injection patterns in fetched content.
-
π΅ LOW
LLM_PROMPT_INJECTIONβ External API Calls to Third-Party Services in Code ExamplesThe reference documentation includes code examples that make network calls to external services, specifically the DeepCell API (https://deepcell.org/api/predict) for remote cell segmentation. While this is a legitimate scientific service, the skill documentation instructs the agent to send image data to an external third-party API. If a user's pathology data is sensitive (e.g., patient tissue samples), this could result in unintended data transmission to external servers. The SegmentMIFRemote transform explicitly sends image data to deepcell.org. Remediation: Add explicit warnings in the skill instructions that SegmentMIFRemote sends image data to an external API. Recommend users use the local SegmentMIF transform for sensitive or patient-identifiable data. Document data privacy implications of using remote inference services.
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ Missing allowed-tools DeclarationThe skill does not declare an allowed-tools field in the YAML manifest. While this is optional per the agent skills specification, the skill instructs the agent to execute Python code (pip install, model training, file I/O, network calls to external APIs like deepcell.org). Without explicit tool restrictions, the agent has no declared boundary on what tools it may use. This is informational only. File:
SKILL.mdRemediation: Consider adding an explicit allowed-tools declaration such as: allowed-tools: [Python, Bash, Read, Write] to document the intended tool usage scope and help the agent enforce appropriate boundaries. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Broad Capability Claims in DescriptionThe skill description claims support for '160+ slide formats' and lists numerous advanced capabilities (CODEX, Vectra, MERFISH, nucleus segmentation, tissue graph construction, ML model training). While these claims appear to match the documented PathML library capabilities, the breadth of the description could lead to over-activation of this skill for tasks that may be better served by simpler tools. The description itself acknowledges this by suggesting histolab for simpler tasks, which is a positive signal. File:
SKILL.mdRemediation: The skill already includes a helpful note about histolab for simpler tasks. Consider adding more specific trigger conditions in the SKILL.md instructions to prevent over-broad activation. The current description is reasonable for a legitimate specialized toolkit. -
π HIGH
MDBLOCK_PYTHON_EVAL_EXECβ Python code block uses eval/execCode block in references/data_management.md at line 441 contains potentially dangerous Python code. File:
references/data_management.md:441Remediation: Review the code block for security implications. -
π΅ LOW
LLM_COMMAND_INJECTIONβ Python eval/exec Usage in Code ExamplesStatic analysis flagged multiple instances of eval/exec patterns in the markdown code blocks across the reference files. Upon review, these appear to be within legitimate educational code examples demonstrating PyTorch model training, ONNX inference, and data processing workflows. The code blocks are documentation examples, not executable scripts bundled with the skill. However, if an agent were to execute these code blocks verbatim from user-provided or externally sourced data, eval/exec patterns could pose injection risks. The flagged occurrences are in references/machine_learning.md and references/data_management.md within standard ML training loop and HDF5 access patterns. File:
references/machine_learning.mdRemediation: No immediate action required as these are documentation examples, not executable scripts. Ensure the agent is not instructed to blindly execute arbitrary code blocks found in reference files. Consider adding explicit notes in the skill instructions that code examples are illustrative and should be reviewed before execution. -
π HIGH
MDBLOCK_PYTHON_EVAL_EXECβ Python code block uses eval/execCode block in references/machine_learning.md at line 228 contains potentially dangerous Python code. File:
references/machine_learning.md:228Remediation: Review the code block for security implications. -
π HIGH
MDBLOCK_PYTHON_EVAL_EXECβ Python code block uses eval/execCode block in references/machine_learning.md at line 498 contains potentially dangerous Python code. File:
references/machine_learning.md:498Remediation: Review the code block for security implications. -
π HIGH
MDBLOCK_PYTHON_EVAL_EXECβ Python code block uses eval/execCode block in references/machine_learning.md at line 540 contains potentially dangerous Python code. File:
references/machine_learning.md:540Remediation: Review the code block for security implications.
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools Manifest FieldThe SKILL.md manifest does not specify the
allowed-toolsfield. While this is optional per the agent skills specification, its absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) can be invoked. Given the skill instructs the agent to load multiple reference files and potentially install packages viauv pip install polars, declaring allowed tools would improve transparency. File:SKILL.mdRemediation: Add an explicitallowed-toolsfield to the YAML frontmatter, e.g.,allowed-tools: [Read, Python], to document the intended tool scope. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package Installation InstructionThe SKILL.md Quick Start section instructs users to install Polars via
uv pip install polarswithout pinning a specific version. This could result in installing a future compromised or breaking version of the package. File:SKILL.md:30Remediation: Pin the Polars version in the installation instruction, e.g.,uv pip install polars==1.x.x, to ensure reproducibility and reduce supply chain risk. -
π΅ LOW
LLM_COMMAND_INJECTIONβ Python eval/exec Pattern in Code ExamplesThe static analyzer flagged a potential eval/exec usage in the Python code blocks within the reference documentation. After reviewing all files, the flagged pattern appears to be within legitimate Polars API examples (e.g.,
.map_elements(),.pipe(), expression evaluation contexts) rather than actualeval()orexec()calls on user-controlled input. No directeval()orexec()with user-supplied data was found. This is a low-severity informational finding based on the static scan alert. File:references/best_practices.mdRemediation: No immediate action required. The code examples are illustrative and do not execute arbitrary user input. If the skill is extended with script files, ensure no eval/exec is used with user-controlled data. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Cloud Credential Exposure via Environment Variables in I/O GuideThe io_guide reference documents setting cloud credentials (AWS, Azure, GCS) directly via
os.environassignments with hardcoded placeholder values. While these are documentation examples, they normalize a pattern of storing credentials in environment variables within code, which could be misapplied by users following the examples. File:references/io_guide.mdRemediation: Add a note in the documentation advising users to use proper credential management (e.g., IAM roles, credential files, secrets managers) rather than hardcoding credentials in code, even as placeholders. -
π HIGH
MDBLOCK_PYTHON_EVAL_EXECβ Python code block uses eval/execCode block in references/operations.md at line 531 contains potentially dangerous Python code. File:
references/operations.md:531Remediation: Review the code block for security implications.
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ Multiple missing referenced filesThe SKILL.md instructions reference numerous files that do not exist in the skill package: templates/data_module.md, assets/best_practices.md, assets/trainer.md, templates/trainer.md, templates/lightning_module.md, assets/distributed_training.md, assets/lightning_module.md, assets/data_module.md, assets/callbacks.md, templates/logging.md, templates/best_practices.md, templates/distributed_training.md, assets/logging.md, templates/callbacks.md. If the agent attempts to read these missing files and falls back to searching the filesystem or fetching from external sources, this could lead to unintended data access or indirect prompt injection from unexpected sources. File:
SKILL.mdRemediation: Audit and remove all references to non-existent files from SKILL.md instructions, or add the missing files to the skill package. Ensure the agent does not attempt to resolve missing internal references by searching external sources. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools and compatibility metadataThe skill manifest does not specify 'allowed-tools' or 'compatibility' fields. While these are optional per the agent skills spec, their absence means there are no declared restrictions on what tools the agent may use when executing this skill. For a skill that provides executable Python templates and references multiple scripts, documenting intended tool usage would improve transparency. File:
SKILL.mdRemediation: Add 'allowed-tools' to the YAML frontmatter to declare which agent tools are expected (e.g., Read, Python, Bash). Add 'compatibility' to clarify supported environments. -
π΅ LOW
LLM_COMMAND_INJECTIONβ eval/exec usage flagged by static analyzer in reference documentationThe static pre-scan flagged a MDBLOCK_PYTHON_EVAL_EXEC finding. After reviewing all files, the eval/exec usage appears within documentation code examples in the reference markdown files (e.g., references/callbacks.md, references/best_practices.md) as illustrative Python snippets, not in executable scripts. No actual eval() or exec() calls with user-controlled input were found in the runnable Python scripts (template_lightning_module.py, quick_trainer_setup.py, template_datamodule.py). The risk is low but worth noting as documentation code blocks could be misinterpreted or copy-pasted without review. File:
references/callbacks.mdRemediation: Review all documentation code examples to ensure they do not contain unsafe patterns. Add explicit warnings in documentation where code examples require careful adaptation before use in production. -
π HIGH
MDBLOCK_PYTHON_EVAL_EXECβ Python code block uses eval/execCode block in references/lightning_module.md at line 444 contains potentially dangerous Python code. File:
references/lightning_module.md:444Remediation: Review the code block for security implications.
-
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package InstallationThe SKILL.md installation instructions use 'uv pip install qutip' and optional packages without version pinning. This means the agent could install any version of qutip, qutip-qip, or qutip-qtrl, including potentially compromised future versions. Without pinned versions, supply chain attacks via malicious package updates are possible. File:
SKILL.mdRemediation: Pin package versions to known-good releases, e.g., 'uv pip install qutip==5.0.4 qutip-qip==0.4.0'. Consider adding hash verification or using a lockfile. -
π΅ LOW
LLM_COMMAND_INJECTIONβ eval/exec Usage in Code ExamplesThe static analyzer flagged a Python code block using eval/exec. Reviewing the referenced files, the only potential match is in references/advanced.md where QobjEvo and compiled time-dependent terms are discussed. The code examples throughout the skill use standard QuTiP API calls and numpy/matplotlib operations. No actual eval/exec with user-controlled input was found in the skill's own executable code β the flagged usage appears to be within QuTiP's internal string-based Hamiltonian compilation (e.g., 'cos(w*t)' strings passed to sesolve), which is a documented QuTiP feature. This is a low-severity informational finding since no scripts are bundled with the skill and the eval/exec would occur inside the QuTiP library itself, not in agent-controlled code. File:
references/time_evolution.mdRemediation: No immediate action required. If the agent generates and executes QuTiP simulations based on user input, ensure that string-based time-dependent Hamiltonian expressions are validated before being passed to QuTiP solvers to prevent code injection via the string compilation pathway. -
π HIGH
MDBLOCK_PYTHON_EVAL_EXECβ Python code block uses eval/execCode block in references/visualization.md at line 197 contains potentially dangerous Python code. File:
references/visualization.md:197Remediation: Review the code block for security implications.
-
π‘ MEDIUM
LLM_SKILL_DISCOVERY_ABUSEβ Missing Referenced Files May Conceal Capability Inflation or Malicious InstructionsThe SKILL.md references four files (skbio.py, assets/api_reference.md, references/api_reference.md, templates/api_reference.md) but three of these are not present in the package as submitted. The instruction body directs the agent to consult 'references/api_reference.md' for detailed API information. Missing files that are referenced as authoritative sources could be used to inject additional instructions or capabilities at runtime if the agent attempts to fetch them from an external source, or could represent incomplete disclosure of the skill's true behavior. File:
SKILL.mdRemediation: Ensure all referenced files are bundled within the skill package. Verify that the agent does not attempt to fetch missing files from external URLs. Audit the content of all referenced files before deployment. -
π΅ LOW
LLM_UNAUTHORIZED_TOOL_USEβ No allowed-tools Declaration Despite Potential Script ExecutionThe SKILL.md manifest does not declare an allowed-tools field. Given that the static analyzer detected 3 Python script files and the skill description implies file I/O, network access to documentation URLs, and potentially executing bioinformatics pipelines, the absence of tool restrictions means the agent has no declared boundary on what tools it may invoke. This is informational but increases risk surface given the other findings. File:
SKILL.mdRemediation: Add an explicit allowed-tools declaration to the SKILL.md manifest that reflects the minimum required tools. This provides a documented security boundary and enables violation detection. -
π HIGH
LLM_DATA_EXFILTRATIONβ Pre-Scan Flags Indicate Hidden Exfiltration Chain Across Unreported FilesThe static pre-scan analysis flagged BEHAVIOR_ENV_VAR_EXFILTRATION, BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN (3 files), and BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION (3 files). The skill package reports 13 total files including 3 Python scripts, yet the submitted content shows 'No script files found' and only one referenced file was successfully retrieved. The Python files and several referenced files (skbio.py, assets/api_reference.md, templates/api_reference.md) are either missing or not provided for review. The static analyzer detected environment variable access combined with network calls across multiple files, strongly suggesting a data exfiltration pattern hidden in the unreported Python scripts. File:
references/api_reference.mdRemediation: Obtain and review all 3 Python script files flagged by the static analyzer. Inspect for os.environ access, requests/urllib calls, subprocess usage, and any data being sent to external endpoints. Do not deploy this skill until all files are reviewed and the exfiltration chain is confirmed absent or remediated.
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ Missing allowed-tools DeclarationThe skill does not declare an allowed-tools field in the YAML manifest. Given that the skill instructions and reference files demonstrate code that writes files (e.g., writing LaTeX to output.tex, writing C code to .c files, pickling objects), network access patterns, and subprocess compilation (autowrap/ufuncify), the absence of tool restrictions means there are no declared boundaries on what the agent can do when executing this skill's guidance. File:
SKILL.mdRemediation: Add an allowed-tools declaration to the manifest. If the skill is intended to execute Python code, declare 'allowed-tools: [Python]'. If file writing is expected, also include 'Write'. This is informational/LOW severity as allowed-tools is optional per spec. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Overly Broad Skill Description May Cause Excessive ActivationThe skill description is very broad, listing numerous domains: 'solving equations algebraically, performing calculus operations (derivatives, integrals, limits), manipulating algebraic expressions, working with matrices symbolically, physics calculations, number theory problems, geometry computations, and generating executable code from mathematical expressions.' While this accurately reflects SymPy's capabilities, the breadth may cause the skill to be activated for a wide range of mathematical queries that could be handled more simply. File:
SKILL.mdRemediation: Consider narrowing the description to focus on cases where symbolic (exact) computation is specifically needed versus numerical approximation, which is already partially addressed in the description. This is a minor concern as the description is technically accurate. -
π΅ LOW
LLM_COMMAND_INJECTIONβ eval() Usage in User Input Parsing ExampleThe references/code-generation-printing.md file contains a code example that mentions eval() in the context of srepr() output: 'This can be eval()'ed to recreate the expression'. While this is documentation/educational content showing how SymPy's srepr() output is eval-safe, it could encourage users to use eval() on untrusted input without proper validation. The same file also contains Pattern 3 (Interactive Computation) which reads user input via input() and passes it to parse_expr() without sanitization guidance beyond a comment. File:
references/code-generation-printing.mdRemediation: Add explicit warnings in the documentation that eval() should never be used on untrusted user input. For parse_expr(), note that it uses a safe parser by default but should still validate/sanitize input. The comment in the file already notes 'validate and sanitize to avoid code injection vulnerabilities' but the srepr/eval example should include a similar warning. -
π HIGH
MDBLOCK_PYTHON_EVAL_EXECβ Python code block uses eval/execCode block in references/code-generation-printing.md at line 204 contains potentially dangerous Python code. File:
references/code-generation-printing.md:204Remediation: Review the code block for security implications.
-
π΅ LOW
LLM_PROMPT_INJECTIONβ Multiple Referenced Files Not Found in PackageThe SKILL.md instructions reference numerous files (assets/scaling.md, torch_geometric.py, templates/message_passing.md, assets/message_passing.md, templates/scaling.md, templates/link_prediction.md, assets/explainability.md, templates/explainability.md, assets/heterogeneous.md, templates/heterogeneous.md, assets/custom_datasets.md, assets/link_prediction.md, templates/custom_datasets.md, torch.py) that are not present in the skill package. If these files were to be added later or sourced externally, they could introduce indirect prompt injection or malicious instructions. The missing files also mean the skill is incomplete and may cause the agent to behave unpredictably when trying to read them. File:
SKILL.mdRemediation: Ensure all referenced files are bundled with the skill package. Do not reference external or missing files. Audit any files added in the future to ensure they do not contain malicious instructions. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Over-Broad Skill Activation Triggers in DescriptionThe skill description contains an extensive list of trigger keywords and phrases designed to maximize activation across a wide range of user queries. Phrases like 'Even if the user just says graph learning or geometric deep learning, use this skill' explicitly instruct the agent to activate this skill for very broad, loosely related queries. While this may be intentional for a comprehensive GNN guide, it represents capability inflation that could cause the skill to activate in contexts where it is not appropriate, potentially displacing other more relevant skills or consuming unnecessary resources. File:
SKILL.mdRemediation: Narrow the activation description to core use cases. Avoid explicit instructions to trigger on loosely related terms. Let the agent's natural skill-matching logic determine relevance rather than embedding broad override instructions in the description. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Missing License and Compatibility MetadataThe skill manifest does not specify a license or compatibility field. While these are optional fields, their absence means there is no provenance information for the skill package. This makes it harder to assess the trustworthiness and intended deployment context of the skill, which is a minor supply chain hygiene concern. File:
SKILL.mdRemediation: Add license, compatibility, and allowed-tools fields to the YAML frontmatter to improve transparency and provenance tracking. -
π HIGH
MDBLOCK_PYTHON_EVAL_EXECβ Python code block uses eval/execCode block in SKILL.md at line 196 contains potentially dangerous Python code. File:
SKILL.md:196Remediation: Review the code block for security implications. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ External URL in Dataset Download Example (references/custom_datasets.md)The custom datasets reference file includes a call to download_url with a placeholder external URL ('https://example.com/data.csv'). While this is a documentation example and not a hardcoded malicious endpoint, it demonstrates a pattern where the skill instructs the agent to download data from arbitrary external URLs without validation. If a user substitutes a real URL, the agent may fetch and process untrusted external content without additional safeguards. File:
references/custom_datasets.mdRemediation: Add a note in the documentation emphasizing that URLs should be validated and trusted before use. Consider adding a warning about the risks of downloading from untrusted sources. -
π HIGH
MDBLOCK_PYTHON_EVAL_EXECβ Python code block uses eval/execCode block in references/link_prediction.md at line 94 contains potentially dangerous Python code. File:
references/link_prediction.md:94Remediation: Review the code block for security implications. -
π HIGH
MDBLOCK_PYTHON_EVAL_EXECβ Python code block uses eval/execCode block in references/link_prediction.md at line 137 contains potentially dangerous Python code. File:
references/link_prediction.md:137Remediation: Review the code block for security implications.
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ Multiple Referenced Files Not Found in PackageThe SKILL.md references numerous files (e.g., assets/protein_modeling.md, rdkit.py, pytorch_lightning.py, torchdrug.py, torch.py, templates/.md, assets/.md) that are not present in the skill package. While the found reference files (references/*.md) contain legitimate educational content, the missing files could represent incomplete packaging. If these missing files were to be supplied by an external or untrusted source at runtime, they could introduce indirect prompt injection or malicious content. The risk is currently low since the files simply do not exist rather than pointing to external URLs. File:
SKILL.mdRemediation: Ensure all referenced files are bundled within the skill package. Remove references to files that do not exist, or add the missing files. Avoid referencing files by names that shadow well-known Python standard library or popular package names (e.g., torch.py, rdkit.py, pytorch_lightning.py) as these could cause import confusion if placed in the Python path. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools and compatibility MetadataThe SKILL.md manifest does not specify the 'allowed-tools' or 'compatibility' fields. While these fields are optional per the agent skills specification, their absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) can be invoked when this skill is active. Given the skill's legitimate purpose of guiding TorchDrug usage, this is a minor informational gap rather than an active threat. File:
SKILL.mdRemediation: Add 'allowed-tools' to the YAML frontmatter to explicitly declare which tools are needed (e.g., [Read, Python]) and add a 'compatibility' field to clarify supported environments. This improves transparency and reduces the risk of unintended tool use. -
π΅ LOW
LLM_COMMAND_INJECTIONβ Use of eval/exec in Python Code BlockThe static analyzer flagged a Python code block containing eval/exec usage. After reviewing all referenced files and the SKILL.md instruction body, the eval/exec pattern appears in illustrative code examples within the reference documentation (e.g., references/core_concepts.md or similar). These are educational code snippets demonstrating TorchDrug API usage, not executable agent scripts. No actual eval/exec call with user-controlled input was found in any agent-executed script file. The risk is low since no Python/Bash script files are present in the skill package. File:
references/core_concepts.mdRemediation: Review any code examples containing eval/exec to ensure they do not demonstrate unsafe patterns that could be copied verbatim by users. Consider adding a warning comment if eval/exec examples are included. -
π HIGH
MDBLOCK_PYTHON_EVAL_EXECβ Python code block uses eval/execCode block in references/core_concepts.md at line 345 contains potentially dangerous Python code. File:
references/core_concepts.md:345Remediation: Review the code block for security implications.
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ Hugging Face Token Exposure Risk in InstructionsThe SKILL.md instructions show an example of setting a Hugging Face token via environment variable with a placeholder value. While this is documentation, it could encourage users to hardcode tokens in scripts. Additionally, the login() flow stores tokens locally. No actual hardcoded secrets were found. File:
SKILL.mdRemediation: Add explicit guidance to never hardcode real tokens in scripts, use .env files excluded from version control, or use the huggingface_hub keyring integration for secure token storage. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools DeclarationThe skill does not declare an allowed-tools field in its YAML manifest. While this field is optional per the agent skills spec, the skill instructs the agent to execute bash commands (pip installs) and Python code, so declaring allowed-tools would improve transparency about the skill's required capabilities. File:
SKILL.mdRemediation: Add 'allowed-tools: [Bash, Python]' to the YAML frontmatter to explicitly declare the tools this skill requires. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package Dependencies in Installation InstructionsThe installation instructions use unpinned package versions (e.g., 'uv pip install torch transformers datasets evaluate accelerate'). Without version pins, the skill is susceptible to supply chain attacks where a compromised or malicious package version could be installed. File:
SKILL.mdRemediation: Pin specific package versions (e.g., 'transformers==4.40.0') or use a requirements.txt/pyproject.toml with locked versions to ensure reproducible and safe installations. -
π΅ LOW
LLM_COMMAND_INJECTIONβ eval/exec Usage in Code ExamplesThe static analyzer flagged a potential eval/exec usage in a Python code block within the skill's reference files. After reviewing all referenced files, the only relevant pattern is the use of dynamic model loading via AutoModel classes and pipeline APIs, which are standard Hugging Face patterns. No direct eval() or exec() calls with user-controlled input were found in the reviewed content. The flag may relate to dynamic code execution patterns inherent to the transformers library (e.g., dynamic class instantiation). This is low risk in context but worth noting. File:
references/models.mdRemediation: Ensure that model identifiers passed to from_pretrained() are validated or come from trusted sources, not raw user input, to prevent loading of malicious model artifacts. -
π HIGH
MDBLOCK_PYTHON_EVAL_EXECβ Python code block uses eval/execCode block in references/models.md at line 214 contains potentially dangerous Python code. File:
references/models.md:214Remediation: Review the code block for security implications.
-
π HIGH
LLM_DATA_EXFILTRATIONβ Static Analysis Flags Cross-File Exfiltration Chain and Environment Variable ExfiltrationThe pre-scan static analysis reports findings of BEHAVIOR_ENV_VAR_EXFILTRATION (environment variable access combined with network calls) and BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN (cross-file exfiltration chain across 2 files) within the skill package. The file inventory indicates 5 Python files and 16 markdown files are present in the package, yet no script files were surfaced in the provided analysis input. This discrepancy is significant: the SKILL.md and manifest appear benign, but the static analyzer has detected potentially malicious behavior in files that were not included for review. The combination of environment variable harvesting and network exfiltration is a classic credential theft and data exfiltration pattern. File:
SKILL.mdRemediation: Immediately audit all 5 Python files in the package for environment variable access (os.environ, os.getenv) combined with any network calls (requests, urllib, http.client, socket, etc.). Identify the 2-file cross-file exfiltration chain flagged by the static analyzer. Remove or sandbox any code that reads sensitive environment variables (API keys, tokens, credentials) and transmits them externally. Do not install or run this skill until a full code review of all Python files is completed. -
π‘ MEDIUM
LLM_SKILL_DISCOVERY_ABUSEβ Over-Broad Capability Description and Keyword Baiting in ManifestThe skill's description contains an unusually large number of trigger keywords and phrases designed to maximize activation frequency. Phrases like 'what if...', 'what would happen if...', 'what are the possibilities', 'explore scenarios', 'scenario analysis', 'possibility space', 'what could go wrong', 'best case / worst case', 'risk analysis', 'contingency planning', 'strategic options', 'fork-in-the-road decision', 'stress-test an idea', and 'think through consequences' are all listed as activation triggers. This pattern of keyword baiting inflates the perceived scope of the skill and increases the likelihood of unintended activation across a wide range of user queries. File:
SKILL.mdRemediation: Narrow the activation description to a concise, specific set of use cases. Avoid listing exhaustive keyword triggers in the manifest description. A single clear sentence describing the skill's purpose is sufficient. -
π‘ MEDIUM
LLM_UNAUTHORIZED_TOOL_USEβ Declared allowed-tools Includes Write Without JustificationThe manifest declares allowed-tools as [Read, Write], granting the skill write access to the filesystem. The SKILL.md instructions describe a purely analytical, text-generation task (scenario analysis) that has no apparent need to write files. No script files were provided that would explain the Write tool requirement. Granting unnecessary write permissions violates the principle of least privilege and could be exploited if the skill is compromised or if hidden scripts (flagged by static analysis) use the Write capability maliciously. File:
SKILL.mdRemediation: Remove the Write tool permission from allowed-tools if the skill only generates text output in the conversation. If Write is genuinely needed, document explicitly in the instructions what files are written, where, and why. Apply the principle of least privilege. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Unverified External URLs Referenced in InstructionsThe SKILL.md body contains multiple external URLs pointing to DOI-linked research papers and external websites (zenodo.org, ahkstrategies.net, themindbook.app). While these appear to be informational references rather than active data sources, they represent external dependencies that could be used for tracking, phishing, or redirecting users to malicious content if the domains are compromised or misused. The skill does not fetch from these URLs programmatically, so the risk is low but worth noting. File:
SKILL.mdRemediation: If these URLs are purely informational, consider removing them from the skill instructions or noting clearly that they are not fetched at runtime. Ensure the referenced domains are controlled by the skill author and are not subject to domain hijacking.
-
π HIGH
LLM_DATA_EXFILTRATIONβ Environment Variable Exfiltration Chain Detected by Static AnalysisThe pre-scan static analysis flagged BEHAVIOR_ENV_VAR_EXFILTRATION, BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN, and BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION across multiple files in this skill package. Although the referenced script files (zarr.py, dask.py, gcsfs.py, h5py.py, xarray.py, s3fs.py) were not found during analysis, the static analyzer detected a cross-file chain involving environment variable access combined with network calls across 2 files. This pattern is a strong indicator of credential harvesting (e.g., AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, GOOGLE_APPLICATION_CREDENTIALS) followed by exfiltration to an external endpoint. The skill's cloud storage framing (S3/GCS integration) provides plausible cover for such behavior, as cloud credential environment variables would be naturally present in the target environment. Remediation: Obtain and audit all Python files in the skill package (zarr.py, dask.py, gcsfs.py, h5py.py, xarray.py, s3fs.py and any unreferenced scripts). Specifically inspect for: (1) os.environ or os.getenv calls harvesting cloud credentials, (2) network calls (requests, urllib, httpx, boto3, etc.) sending data to non-canonical endpoints, (3) any base64/encoded payloads. Do not deploy this skill until all 5 Python files are reviewed and cleared.
-
π‘ MEDIUM
LLM_SKILL_DISCOVERY_ABUSEβ Suspicious Skill Author Attribution and Capability FramingThe skill is attributed to 'K-Dense Inc.' β an unknown, unverifiable entity. The skill impersonates the well-known open-source zarr-python library (maintained by zarr-developers on GitHub) while being published under a different author. The description and instructions closely mirror the official zarr documentation, which could be used to gain user trust while the bundled scripts (flagged by static analysis) perform malicious operations. This is a classic capability inflation / brand impersonation pattern. Remediation: Verify the provenance of this skill against the official zarr-developers project. Do not use skills that impersonate well-known open-source libraries under different authorship without independent verification of all bundled code.
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ Missing Script Files Despite Static Analysis Detecting Python CodeThe skill references zarr.py, dask.py, gcsfs.py, h5py.py, xarray.py, and s3fs.py in its instructions, but none of these files were surfaced for review. However, the file inventory confirms 5 Python files exist in the package. This discrepancy means potentially malicious code is present but was not provided for analysis, preventing full security assessment. Combined with the static analysis exfiltration findings, this represents a significant transparency gap. Remediation: Ensure all Python files in the skill package are included in security review. The 5 Python files detected by the file inventory must be audited before deployment.
-
π‘ MEDIUM
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package Installation InstructionsThe SKILL.md instructs users to install packages without version pinning: 'uv pip install zarr', 'uv pip install s3fs', 'uv pip install gcsfs'. Without pinned versions, a supply chain compromise of any of these packages (zarr, s3fs, gcsfs) could introduce malicious code into the user's environment. This is especially concerning given the static analysis findings suggesting exfiltration behavior may already be present in the bundled scripts. File:
SKILL.mdRemediation: Pin all package versions explicitly (e.g., 'uv pip install zarr==2.18.0 s3fs==2024.2.0 gcsfs==2024.2.0'). Use a lockfile or requirements.txt with hashes. Verify package integrity against known-good checksums.
-
π‘ MEDIUM
LLM_PROMPT_INJECTIONβ Indirect Prompt Injection Risk via External MCP Server ResponsesThe skill retrieves structured paper data from an external MCP server (bgpt.pro). The returned content β including titles, abstracts, methods, conclusions, and 25+ metadata fields β originates from third-party sources and is injected directly into the agent's context. Malicious or crafted paper content could contain embedded instructions that manipulate the agent's behavior (e.g., 'ignore previous instructions' hidden in a paper's conclusion field). File:
SKILL.mdRemediation: The agent should treat all content returned from the BGPT MCP server as untrusted data, not as instructions. Implement output sanitization or clearly delineate retrieved content from agent instructions. Users should be cautioned that paper content is third-party data. -
π‘ MEDIUM
LLM_UNAUTHORIZED_TOOL_USEβ External MCP Server Dependency with Unverified TrustThe skill instructs the agent to connect to and use a remote MCP server at https://bgpt.pro/mcp/sse. This external server is outside the user's control and could return malicious tool responses, manipulated data, or instructions that the agent may act upon. The agent is directed to use the
search_paperstool provided by this third-party server, meaning the server controls the tool's behavior and output entirely. File:SKILL.mdRemediation: Users should be aware that this skill delegates tool execution to an external server. Verify the trustworthiness of bgpt.pro before use. Consider reviewing the MCP server's responses for unexpected instructions or content before acting on them. The skill should document the data privacy implications of sending search queries to an external service. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Search Query Data Sent to External Third-Party ServerAll search queries entered by the user are transmitted to the external bgpt.pro server. The skill does not disclose a privacy policy or data retention practices. User research queries (which may be sensitive in academic, medical, or competitive intelligence contexts) are sent to a third-party commercial service. File:
SKILL.mdRemediation: The skill should include a clear disclosure that search queries are transmitted to bgpt.pro and link to a privacy policy. Users should be informed before configuring this MCP server, especially in sensitive research contexts. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned npx Package ExecutionThe skill uses
npx mcp-remoteandnpx bgpt-mcpwithout version pinning. This means the latest version of these npm packages is fetched and executed at runtime, which could introduce supply chain risks if the packages are compromised or updated with malicious code. File:SKILL.mdRemediation: Pin specific versions of npm packages (e.g.,npx mcp-remote@x.y.zandnpx bgpt-mcp@x.y.z) to prevent unexpected updates from introducing malicious or breaking changes. Verify package integrity via checksums or lockfiles.
-
π‘ MEDIUM
LLM_COMMAND_INJECTIONβ Subprocess Command Injection Risk in App Development PatternsThe skill's reference documentation and SKILL.md examples demonstrate patterns using subprocess.check_call() with parameters derived from app inputs (e.g., quality_threshold passed as str(quality_threshold)). If the agent generates code following these patterns with unsanitized user-controlled inputs, it could lead to command injection vulnerabilities in deployed DNAnexus apps. File:
SKILL.mdRemediation: Add explicit guidance in the skill instructions to always validate and sanitize inputs before passing them to subprocess calls. Recommend using shlex.quote() for shell arguments and preferring list-form subprocess calls over shell=True. -
π‘ MEDIUM
LLM_DATA_EXFILTRATIONβ Missing License and Incomplete MetadataThe skill manifest declares 'license: Unknown' and does not specify allowed-tools. While missing allowed-tools is LOW severity, the unknown license combined with a third-party author ('K-Dense Inc.') and no version information raises provenance concerns for a skill that handles sensitive genomics data and cloud credentials. File:
SKILL.mdRemediation: Specify a valid SPDX license identifier, add allowed-tools restrictions appropriate for the skill's operations, and include version information to establish clear provenance. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Multiple Referenced Files Not Found in Skill PackageThe skill references numerous files that are not present in the package: assets/data-operations.md, templates/job-execution.md, templates/data-operations.md, templates/configuration.md, templates/app-development.md, templates/python-sdk.md, dxpy.py, assets/configuration.md, assets/job-execution.md, assets/app-development.md, assets/python-sdk.md. The missing dxpy.py is particularly notable as it could be a local override of the legitimate dxpy library. File:
SKILL.mdRemediation: Audit and remove references to non-existent files. Investigate the purpose of the referenced dxpy.py file - if it is intended as a local SDK override, this would be a HIGH severity supply chain concern and should be explicitly documented or removed. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package Installation Patterns in Reference DocumentationThe configuration reference (references/configuration.md) shows patterns for installing Python packages via pip without version pinning in some examples, and system packages via execDepends without version constraints. This could lead to supply chain risks if the agent generates app configurations following these patterns. File:
references/configuration.mdRemediation: Consistently demonstrate version-pinned dependencies in all examples. Add guidance to always specify versions for execDepends entries to ensure reproducible builds and reduce supply chain risk. -
π‘ MEDIUM
LLM_DATA_EXFILTRATIONβ API Token Hardcoding Risk in SDK DocumentationThe references/python-sdk.md file contains example code showing API token usage with placeholder 'YOUR_API_TOKEN' and 'YOUR_TOKEN' strings. While these are documentation examples, the skill instructs the agent to follow these patterns, and the pattern of setting auth tokens directly in code could lead to credential exposure if users follow the examples literally and hardcode real tokens. File:
references/python-sdk.mdRemediation: Add explicit warnings in the documentation that tokens must never be hardcoded in source code. Recommend using environment variables loaded from secure vaults or credential managers, and reference the best practice already noted in SKILL.md ('Never hardcode credentials in source code').
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Overly Broad Skill Activation DescriptionThe skill description contains an extensive list of trigger keywords and phrases designed to maximize activation across a wide range of document-related requests. While not malicious, the description is unusually comprehensive in its trigger conditions, potentially causing the skill to activate in more scenarios than strictly necessary for its core DOCX functionality. File:
SKILL.mdRemediation: Consider narrowing the activation criteria to core DOCX operations. The current description is broad but appears to reflect genuine use cases rather than malicious keyword baiting. -
π΅ LOW
LLM_COMMAND_INJECTIONβ Subprocess Execution with User-Controlled File PathsMultiple scripts (accept_changes.py, soffice.py) pass file paths derived from user input directly to subprocess calls (soffice, git). While the paths are passed as arguments rather than shell-interpolated strings, and shell=True is not used, there is still a risk if filenames contain special characters or if the path resolution is manipulated. The accept_changes.py script passes output_path.absolute() directly to the soffice command. File:
scripts/accept_changes.pyRemediation: Validate and sanitize file paths before passing to subprocess. Ensure paths are within expected directories. Consider using pathlib.Path.resolve() and checking that the resolved path is within an allowed base directory. -
π‘ MEDIUM
LLM_COMMAND_INJECTIONβ Dynamic C Code Compilation and LD_PRELOAD InjectionThe soffice.py script dynamically writes C source code to a temp file, compiles it with gcc into a shared library, and then injects it via LD_PRELOAD into LibreOffice subprocess calls. While the C code itself appears to be a legitimate AF_UNIX socket shim for sandboxed environments, this pattern is inherently risky: it compiles and loads arbitrary native code at runtime, bypasses normal library loading mechanisms, and could be exploited if the temp directory is writable by an attacker. The _SHIM_SOURCE string contains a full C program that intercepts socket(), listen(), accept(), and close() system calls. File:
scripts/office/soffice.pyRemediation: Consider shipping the pre-compiled shim as a binary asset rather than compiling at runtime. If runtime compilation is necessary, verify the integrity of the temp directory and consider using a more restricted temp path. Add a check that the shim file does not already exist before writing (to prevent TOCTOU attacks on the temp file). -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Environment Variable Access in soffice.pyThe soffice.py script calls os.environ.copy() to copy the entire environment and passes it to subprocess calls running LibreOffice. While this is a common and generally legitimate pattern for subprocess execution, it means all environment variables (which may include secrets, tokens, API keys, etc.) are passed to the LibreOffice subprocess. The static analyzer flagged this as part of a cross-file exfiltration chain, but in context this appears to be standard subprocess environment propagation rather than intentional exfiltration. No network calls are made with the environment data. File:
scripts/office/soffice.pyRemediation: This is low risk in context. Consider documenting that environment variables are passed to LibreOffice subprocesses. If sensitive environment variables are a concern, consider filtering the environment to only pass variables required by LibreOffice. -
π΅ LOW
LLM_COMMAND_INJECTIONβ Git Subprocess Execution with User-Controlled Text ContentThe redlining.py validator writes document text content to temp files and passes them to git diff as arguments. While this uses a list-form subprocess call (not shell=True), the text content written to temp files originates from document XML which could be attacker-controlled if a malicious DOCX is processed. File:
scripts/office/validators/redlining.pyRemediation: This is low risk since content is written to files rather than passed as shell arguments. Ensure temp files are created with restricted permissions. The use of list-form subprocess (not shell=True) is correct.
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools Manifest FieldThe SKILL.md manifest does not specify the 'allowed-tools' field. While this field is optional per the agent skills specification, its absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) this skill may use. The skill's workflows involve file system operations (reading WSI files, writing tile outputs, saving thumbnails, generating CSV reports), so declaring allowed tools would improve transparency and security posture. File:
SKILL.mdRemediation: Add an explicit 'allowed-tools' field to the YAML frontmatter listing the tools actually needed, e.g., allowed-tools: [Read, Write, Python, Bash]. This improves transparency and allows the agent runtime to enforce capability restrictions. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing Compatibility FieldThe SKILL.md manifest does not specify the 'compatibility' field. The skill performs file I/O operations and installs packages via 'uv pip install histolab', which may not be compatible with all agent environments (e.g., sandboxed or read-only environments). Declaring compatibility constraints would help prevent misuse in incompatible environments. File:
SKILL.mdRemediation: Add a 'compatibility' field to the YAML frontmatter specifying supported environments and any requirements (e.g., local filesystem access, Python environment with pip). -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package InstallationThe skill instructs installation of 'histolab' without a pinned version ('uv pip install histolab'). Unpinned dependencies are susceptible to supply chain attacks where a malicious version could be published and automatically installed. Additionally, the skill's code examples import from 'histolab' without version verification. File:
SKILL.mdRemediation: Pin the package to a specific known-good version, e.g., 'uv pip install histolab==0.6.0'. Consider also specifying a hash for integrity verification. Document the expected version in the manifest metadata. -
π‘ MEDIUM
LLM_COMMAND_INJECTIONβ Use of eval/exec in Python Code BlocksStatic analysis flagged two instances of eval/exec usage within Python code blocks in the skill's markdown documentation. While the code blocks appear to be illustrative examples for the histolab library (image processing, tile extraction), the presence of eval/exec patterns warrants review. If an agent executes these code blocks directly, and any portion of the input (e.g., file paths, filter parameters) is user-controlled and unsanitized, it could lead to code injection. The specific locations were not pinpointed to exact lines by static analysis, but the patterns exist within the referenced documentation files. File:
references/filters_preprocessing.mdRemediation: Review all code blocks containing eval/exec patterns to confirm they are purely illustrative and not directly executed by the agent. Ensure any user-supplied parameters (file paths, filter parameters, tile sizes) are validated and sanitized before being passed to executed code. Avoid using eval/exec with any user-controlled input.
-
π‘ MEDIUM
LLM_PROMPT_INJECTIONβ Indirect Prompt Injection via External Dataset ContentThe skill loads external dataset content (from cloned GitHub repositories) directly into LLM prompt templates using placeholder variable injection (e.g., ${text_features_1}, ${label}). If the dataset content contains adversarial text crafted to manipulate the LLM's behavior during hypothesis generation or inference, this constitutes an indirect prompt injection vector. The skill provides no sanitization or validation of dataset content before it is injected into prompts. File:
SKILL.mdRemediation: Implement input sanitization for dataset content before injecting into prompt templates. Consider adding content validation to detect and reject adversarial prompt injection patterns in dataset fields. Document that dataset sources should be trusted. -
π‘ MEDIUM
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package Installation via uv pip installThe skill instructs users to install the 'hypogenic' package without pinning a specific version (e.g., 'uv pip install hypogenic'). Unpinned package installations are vulnerable to supply chain attacks where a malicious version could be published to PyPI and automatically installed. This is especially concerning for a package that interfaces with LLM APIs and processes sensitive research data. File:
SKILL.mdRemediation: Pin the package to a specific known-good version, e.g., 'uv pip install hypogenic=='. Additionally, consider verifying package integrity via hash checking (e.g., pip install --require-hashes). -
π‘ MEDIUM
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Git Clone of External Datasets from GitHubThe skill instructs cloning external GitHub repositories (ChicagoHAI/HypoGeniC-datasets and ChicagoHAI/Hypothesis-agent-datasets) without specifying a commit hash or tag. If these repositories are compromised or modified, malicious dataset content or configuration files could be introduced into the user's workflow. Since these datasets feed directly into LLM prompt templates, malicious content could constitute indirect prompt injection. File:
SKILL.mdRemediation: Pin git clones to a specific commit hash or tag (e.g., 'git clone ... && git checkout '). Validate dataset integrity before use. -
π΅ LOW
LLM_COMMAND_INJECTIONβ Python eval/exec Usage Detected in Code BlocksStatic analysis flagged two instances of eval/exec usage in Python code blocks within the skill's markdown. While the specific code blocks shown in the instructions appear to be benign examples (label extraction with regex), the presence of eval/exec patterns warrants review. If user-controlled input flows into eval/exec calls within the hypogenic package, this could enable arbitrary code execution. File:
SKILL.mdRemediation: Review the actual hypogenic package source code for eval/exec usage with user-controlled inputs. Avoid eval/exec patterns; use safer alternatives like ast.literal_eval for data parsing. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Missing Provenance: No Version or Author Verification for External ToolsThe skill instructs users to install and run GROBID and s2orc-doc2json as external dependencies without specifying versions or providing integrity verification. These tools process PDF files and could introduce vulnerabilities if compromised versions are installed. File:
SKILL.mdRemediation: Specify exact versions for all external tool dependencies (GROBID, s2orc-doc2json). Provide checksums or other integrity verification mechanisms for downloaded tools. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ API Key Stored in Environment Variable Referenced in Config TemplateThe configuration template references an environment variable (OPENAI_API_KEY) for API key storage. While using environment variables is better than hardcoding, the config template also shows the variable name explicitly, and the skill does not provide guidance on secure secret management. If config files are committed to version control or shared, API key exposure is a risk. File:
references/config_template.yamlRemediation: Add explicit guidance in the skill documentation about not committing config files containing API key references to version control. Recommend using .gitignore for config files and consider referencing a secrets manager.
-
π‘ MEDIUM
LLM_COMMAND_INJECTIONβ Unpinned Package Upgrade via subprocess in SKILL.mdThe SKILL.md instructions include a code block that runs 'subprocess.run(["pip3", "install", "--upgrade", "--break-system-packages", "idc-index"], check=True)' without pinning to a specific version. The '--upgrade' flag without a pinned version (e.g., 'idc-index==0.11.14') means the agent will always install the latest available version, which could introduce a compromised or malicious package if the upstream package is ever tampered with. Additionally, '--break-system-packages' bypasses system package manager protections. File:
SKILL.mdRemediation: Pin the package to the exact required version: subprocess.run(["pip3", "install", "--break-system-packages", "idc-index==0.11.14"], check=True). Remove '--upgrade' or replace with the pinned version specifier to prevent unintended upgrades to potentially malicious versions. -
π΅ LOW
LLM_PROMPT_INJECTIONβ Agent Instructed to Fetch and Execute External Documentation URLsThe SKILL.md instructs the agent to reference external URLs such as 'https://idc-index.readthedocs.io/en/latest/indices_reference.html' for schema discovery and other external documentation. While these are legitimate documentation sites, the pattern of directing the agent to fetch and act on external web content creates a surface for indirect prompt injection if those external pages were ever compromised or if the agent fetches other user-supplied URLs in context. File:
SKILL.mdRemediation: Prefer bundled reference files over live external URLs for authoritative schema information. If external URLs must be referenced, clearly mark them as informational only and instruct the agent not to execute any instructions found in fetched content. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools DeclarationThe SKILL.md manifest does not declare an 'allowed-tools' field. While this is optional per the spec, the skill instructs the agent to execute Python code (subprocess calls, pip installs, file writes, network requests) and bash commands. Without an explicit allowed-tools declaration, there is no manifest-level constraint on what tools the agent may use. File:
SKILL.mdRemediation: Add an explicit 'allowed-tools' declaration to the YAML frontmatter listing the tools this skill requires (e.g., Python, Bash) to make the skill's capabilities transparent and auditable. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Optional Dependencies in Installation InstructionsThe installation instructions recommend 'pip install --upgrade idc-index' and 'pip install pandas numpy pydicom' without version pins. While the metadata specifies idc-index 0.11.14, the install commands do not enforce this. Optional dependencies (pandas, numpy, pydicom) are entirely unpinned, creating supply chain risk if any of these packages are compromised. File:
SKILL.mdRemediation: Pin all dependencies to specific versions: 'pip install idc-index==0.11.14 pandas== numpy== pydicom=='. Document tested versions in the skill metadata. -
π‘ MEDIUM
MDBLOCK_PYTHON_SUBPROCESSβ Python code block executes shell commandsCode block in SKILL.md at line 21 contains potentially dangerous Python code. File:
SKILL.md:21Remediation: Review the code block for security implications.
-
π‘ MEDIUM
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned GitHub Dependency InstallationThe skill instructs users to install the
labarchives-pypackage directly from a GitHub repository without any version pinning, commit hash, or integrity verification. This means any future changes to themcmero/labarchives-pyrepository (including malicious commits) would be silently pulled in on next install. The package is also referenced in error messages within the scripts, reinforcing this as the intended installation method. File:SKILL.mdRemediation: Pin to a specific commit hash or tag:pip install git+https://github.com/mcmero/labarchives-py@<commit-hash>. Alternatively, publish the package to PyPI with a pinned version and verify checksums. Document the expected package hash for integrity verification. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Missing License and Compatibility MetadataThe skill manifest does not specify a license or compatibility field. While not a direct security threat, missing provenance information makes it harder to assess the trustworthiness and intended deployment scope of the skill. The
allowed-toolsfield is also absent, meaning there are no declared restrictions on what agent tools this skill can invoke. File:SKILL.mdRemediation: Add license, compatibility, and allowed-tools fields to the YAML frontmatter. For a skill that makes network calls and reads/writes files, explicitly declaringallowed-tools: [Python, Bash]and specifying compatible platforms helps users understand the skill's intended scope and security posture. -
π‘ MEDIUM
MDBLOCK_PYTHON_HTTP_POSTβ Python code block sends HTTP POST requestCode block in references/api_reference.md at line 217 contains potentially dangerous Python code. File:
references/api_reference.md:217Remediation: Review the code block for security implications. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ SSL Verification Bypass Documented Without Adequate WarningThe
references/authentication_guide.mddocuments disabling SSL certificate verification (verify=False) with only a brief note that it is 'not recommended for production'. This pattern, if followed by users, would expose credentials and data to man-in-the-middle attacks. The documentation normalizes this insecure practice without sufficiently emphasizing the security risk. File:references/authentication_guide.mdRemediation: Remove or strongly discourage theverify=Falseexample. Instead, provide guidance on properly configuring CA certificates or institutional proxy certificates. If self-signed certificates are needed, document how to specify a custom CA bundle viaverify='/path/to/ca-bundle.crt'rather than disabling verification entirely. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Credentials Passed as URL Query Parameters in Direct HTTP ExampleThe
references/authentication_guide.mdOption 2 example constructs API calls by passingaccess_key_idandaccess_passwordas URL query parameters. Query parameters are frequently logged in web server access logs, proxy logs, browser history, and network monitoring tools, creating a significant credential exposure risk. File:references/authentication_guide.mdRemediation: Use POST requests with credentials in the request body or Authorization headers rather than GET requests with credentials in query parameters. Add a warning in the documentation about the risks of credential exposure via URL logging. -
π‘ MEDIUM
MDBLOCK_PYTHON_HTTP_POSTβ Python code block sends HTTP POST requestCode block in references/integrations.md at line 93 contains potentially dangerous Python code. File:
references/integrations.md:93Remediation: Review the code block for security implications. -
π‘ MEDIUM
MDBLOCK_PYTHON_HTTP_POSTβ Python code block sends HTTP POST requestCode block in references/integrations.md at line 309 contains potentially dangerous Python code. File:
references/integrations.md:309Remediation: Review the code block for security implications. -
π‘ MEDIUM
LLM_DATA_EXFILTRATIONβ API Credentials Transmitted in HTTP POST Body (Plaintext)In
entry_operations.py, theupload_attachmentfunction sendsaccess_key_idandaccess_passworddirectly in the HTTP POST request body as plaintext form data. While HTTPS is used, embedding credentials in request bodies (rather than using proper Authorization headers or HMAC signatures) increases the risk of credential exposure in server logs, proxy logs, and debugging output. The credentials are also printed in truncated error responses. File:scripts/entry_operations.pyRemediation: Use Authorization headers or HMAC-signed request parameters instead of embedding credentials in POST body. Ensure server-side logging does not capture credential fields. Consider using thelabarchivespyclient's built-in authentication mechanism consistently rather than constructing raw requests with credentials.
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing License and Compatibility MetadataThe skill manifest does not specify a license or compatibility field. While these are optional fields, their absence reduces transparency about the skill's intended use and compatibility constraints. The skill-author is listed as 'K-Dense Inc.' but no license is provided. File:
SKILL.mdRemediation: Add a valid SPDX license identifier (e.g., 'MIT', 'Apache-2.0') and specify compatibility information in the YAML frontmatter. -
π΅ LOW
LLM_UNAUTHORIZED_TOOL_USEβ Multiple Referenced Files Not Found in Skill PackageThe SKILL.md references numerous files that are not present in the skill package: templates/data-management.md, templates/workflow-creation.md, assets/resource-configuration.md, assets/verified-workflows.md, latch.py, templates/verified-workflows.md, assets/data-management.md, templates/resource-configuration.md, assets/workflow-creation.md. This means the skill's instructions point to non-existent resources, which could cause the agent to fail or behave unexpectedly when trying to access these files. File:
SKILL.mdRemediation: Ensure all referenced files are included in the skill package, or remove references to non-existent files from SKILL.md instructions. -
π‘ MEDIUM
LLM_DATA_EXFILTRATIONβ Pre-Scan Flags Potential Environment Variable Exfiltration and Cross-File Exfiltration ChainStatic analysis pre-scan flagged BEHAVIOR_ENV_VAR_EXFILTRATION (environment variable access with network calls detected) and BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN (cross-file exfiltration chain across 2 files) and BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION. However, review of the provided file contents (SKILL.md and the four reference markdown files) does not reveal explicit environment variable harvesting or network exfiltration code. The referenced latch.py file was not found in the package. The static scanner may have flagged patterns in the Python code examples within the markdown files (e.g., get_secret(), Account.current(), execute_workflow() with network calls), or there may be unreported Python files. The latch.py file referenced but not found is particularly suspicious as it could contain malicious code. File:
references/data-management.mdRemediation: Investigate the missing latch.py file and any other Python files in the package. Audit all Python scripts for environment variable access combined with network calls. Ensure get_secret() usage is legitimate and does not exfiltrate credentials to external endpoints.
-
π΅ LOW
LLM_RESOURCE_ABUSEβ Unbounded Report Generation May Cause Compute ExhaustionThe SKILL.md instructions explicitly state 'no token constraints' and 'Write fully, don't abbreviate' while targeting 50-66 pages of content with 27+ visual generation calls. The batch visual generation script can generate up to 27 images with a 2-minute timeout each (up to 54 minutes of subprocess execution). Combined with deep research-lookup integration and LaTeX compilation (3 xelatex passes), a single report generation could consume significant compute resources and run for extended periods without user confirmation checkpoints. File:
SKILL.mdRemediation: Add explicit user confirmation checkpoints before starting long-running operations. Implement progress reporting and allow cancellation. Set reasonable limits on the number of visuals generated by default. Remove 'no token constraints' language and replace with guidance on appropriate scope. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Broad Capability Claims in Description May Over-Activate SkillThe skill description claims to generate reports 'in the style of top consulting firms (McKinsey, BCG, Gartner)' and references multiple well-known brand names. While not malicious, this type of brand association in the description could cause the skill to be activated more broadly than intended, as agents may associate it with authoritative consulting outputs. The description also claims '50+ pages' and 'no token constraints' which may set unrealistic expectations and cause the agent to attempt unbounded generation. File:
SKILL.md:1Remediation: Revise the description to accurately describe capabilities without brand name association. Remove claims about 'no token constraints' as this could encourage unbounded resource consumption. Keep the description factual and scoped. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Static Analyzer False Positive: No Actual Exfiltration Chain DetectedThe pre-scan static analyzer flagged BEHAVIOR_ENV_VAR_EXFILTRATION, BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN, and BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION. After manual review of all provided files (SKILL.md, generate_market_visuals.py, and all referenced markdown/asset files), no actual environment variable harvesting, credential access, or network exfiltration code was found. The Python script (generate_market_visuals.py) only uses subprocess to call other skill scripts with hardcoded prompt strings and output paths. No os.environ access, no network calls, no credential file reads. The static analyzer likely triggered on pattern matching across files that are not present in this package. Flagging as LOW informational finding only. File:
scripts/generate_market_visuals.pyRemediation: No remediation required. The static analyzer finding appears to be a false positive. The subprocess calls invoke other skill scripts (scientific-schematics, generate-image) with controlled, hardcoded arguments derived from user-supplied topic strings. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Dependency on External Skill Scripts Without Version VerificationThe generate_market_visuals.py script dynamically resolves paths to scripts in sibling skill directories (scientific-schematics, generate-image) using relative path traversal from the script's own location. There is no version pinning, integrity checking, or validation that these sibling skills are authentic. If a malicious actor replaces or modifies the sibling skill scripts, this skill would silently execute the compromised code. File:
scripts/generate_market_visuals.py:97Remediation: Consider adding a hash or signature check for the sibling skill scripts before execution. At minimum, verify the scripts exist and are regular files before invoking them. Document the expected versions of dependent skills in the manifest. -
π‘ MEDIUM
LLM_COMMAND_INJECTIONβ Unsanitized User Input Passed to Subprocess Commands via String FormattingIn generate_market_visuals.py, the user-supplied --topic argument is interpolated directly into prompt strings via Python's str.format() method and then passed as a command-line argument to subprocess calls. While this is not a direct shell injection (subprocess.run is used with a list, not shell=True), a maliciously crafted topic string could potentially manipulate the prompt arguments passed to the downstream scientific-schematics and generate-image scripts. If those downstream scripts have their own vulnerabilities (e.g., shell=True usage or eval), the unsanitized topic could propagate malicious content. File:
scripts/generate_market_visuals.py:113Remediation: Sanitize the topic input before interpolation. Strip or escape special characters, shell metacharacters, and format string tokens. Consider validating topic length and character set. Add input validation at argument parsing time: e.g., restrict to alphanumeric characters, spaces, and common punctuation.
-
π΅ LOW
LLM_RESOURCE_ABUSEβ Numerical Simulation Pattern Contains Nested Loop Without Bounds CheckingThe SKILL.md instruction body includes a numerical simulation pattern (heat equation time-stepping) with a nested loop that iterates over a time range determined by parameters T and dt. If a user provides large values for T or small values for dt, this could result in an extremely large number of iterations, causing compute exhaustion. The skill does not include guidance on parameter validation or resource limits. File:
SKILL.mdRemediation: Add guidance in the skill instructions to validate simulation parameters before execution (e.g., warn if T/dt exceeds a reasonable threshold like 1e6 iterations). Recommend vectorized approaches or built-in ODE solvers (ode45) instead of manual time-stepping loops for large simulations. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Over-Broad Capability Description in ManifestThe skill description is quite broad, claiming to handle matrix operations, data analysis, visualization, signal processing, image processing, differential equations, optimization, statistics, MATLAB/Python conversion, and script execution. While this may reflect the actual scope of the reference documentation, the description could trigger the skill for a very wide range of user queries, potentially displacing more specialized skills. File:
SKILL.mdRemediation: Consider narrowing the description to the core use case (MATLAB/Octave script generation and execution) to reduce over-broad activation. This is a minor concern and may be acceptable given the skill's legitimate scope. -
π΅ LOW
LLM_COMMAND_INJECTIONβ Bash Runner Script Passes User-Controlled Input Directly to Shell CommandsThe references/executing-scripts.md file contains a portable Bash runner script (run_mfile.sh) that passes user-supplied arguments directly into matlab -batch and octave --eval commands without sanitization. If a user provides a malicious filename or command override containing shell metacharacters or injection payloads, this could lead to command injection when the script is executed. File:
references/executing-scripts.mdRemediation: Add input validation and sanitization to the runner script. Validate that FILE is a legitimate .m file path (e.g., using a regex or realpath check). Avoid passing raw user-supplied CMD strings directly to -batch or --eval. Consider using printf '%q' for shell quoting or restricting CMD to a whitelist of allowed function names. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Octave Package Installation from Arbitrary URLs Without Version PinningThe references/octave-compatibility.md file documents Octave package installation commands including installation from arbitrary URLs ('http://example.com/package.tar.gz') and from Octave Forge without version pinning. If the agent generates or executes these commands, it could install unpinned or untrusted packages. File:
references/octave-compatibility.mdRemediation: Add documentation notes warning against installing packages from arbitrary URLs. Recommend version-pinned installations and verification of package sources. The agent should prompt users to confirm package sources before generating installation commands. -
π‘ MEDIUM
LLM_DATA_EXFILTRATIONβ Python Integration Reference Demonstrates HTTP Requests Using External Python LibrariesThe references/python-integration.md file contains example code that uses Python's 'requests' library to make HTTP GET requests to external URLs (https://api.example.com/data) and processes the response. While presented as an example, the agent may generate or execute similar code patterns when assisting users, potentially enabling data exfiltration if user-supplied URLs or data are involved. The static analyzer flagged environment variable access with network calls, which aligns with patterns in this reference file. File:
references/python-integration.mdRemediation: Add explicit warnings in the reference documentation that HTTP request examples should only be used with trusted, user-specified endpoints. Consider adding a note that the agent should not autonomously make network requests without explicit user confirmation of the target URL.
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ API Key Exposed in Example CodeThe SKILL.md instruction body contains a hardcoded placeholder API key pattern in a Python code example:
"api_key": "sk-...". While this is a placeholder and not a real secret, it normalizes the pattern of embedding API keys directly in code and could mislead users into hardcoding real credentials in scripts rather than using environment variables. File:SKILL.mdRemediation: Replace the inline API key placeholder with an environment variable reference, e.g.,"api_key": os.getenv("OPENAI_API_KEY"), to promote secure credential handling practices. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools Manifest FieldThe SKILL.md YAML frontmatter does not specify the
allowed-toolsfield. While this field is optional per the agent skills specification, its absence means there are no declared restrictions on which agent tools this skill may use, reducing transparency about the skill's intended capabilities. File:SKILL.mdRemediation: Add anallowed-toolsfield to the YAML frontmatter to explicitly declare which tools the skill requires, improving transparency and enabling enforcement of least-privilege access. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing Compatibility Field in ManifestThe SKILL.md YAML frontmatter does not specify the
compatibilityfield, which would indicate which agent environments (e.g., Claude.ai, Claude Code, API) this skill is compatible with. This reduces discoverability clarity. File:SKILL.mdRemediation: Add acompatibilityfield to the YAML frontmatter to declare supported environments. -
π‘ MEDIUM
MDBLOCK_PYTHON_HTTP_POSTβ Python code block sends HTTP POST requestCode block in SKILL.md at line 61 contains potentially dangerous Python code. File:
SKILL.md:61Remediation: Review the code block for security implications. -
π‘ MEDIUM
MDBLOCK_PYTHON_HTTP_POSTβ Python code block sends HTTP POST requestCode block in SKILL.md at line 92 contains potentially dangerous Python code. File:
SKILL.md:92Remediation: Review the code block for security implications. -
π‘ MEDIUM
MDBLOCK_PYTHON_HTTP_POSTβ Python code block sends HTTP POST requestCode block in SKILL.md at line 105 contains potentially dangerous Python code. File:
SKILL.md:105Remediation: Review the code block for security implications. -
π‘ MEDIUM
MDBLOCK_PYTHON_HTTP_POSTβ Python code block sends HTTP POST requestCode block in SKILL.md at line 126 contains potentially dangerous Python code. File:
SKILL.md:126Remediation: Review the code block for security implications. -
π‘ MEDIUM
MDBLOCK_PYTHON_HTTP_POSTβ Python code block sends HTTP POST requestCode block in SKILL.md at line 139 contains potentially dangerous Python code. File:
SKILL.md:139Remediation: Review the code block for security implications. -
π‘ MEDIUM
MDBLOCK_PYTHON_HTTP_POSTβ Python code block sends HTTP POST requestCode block in SKILL.md at line 157 contains potentially dangerous Python code. File:
SKILL.md:157Remediation: Review the code block for security implications. -
π‘ MEDIUM
MDBLOCK_PYTHON_HTTP_POSTβ Python code block sends HTTP POST requestCode block in SKILL.md at line 174 contains potentially dangerous Python code. File:
SKILL.md:174Remediation: Review the code block for security implications. -
π‘ MEDIUM
MDBLOCK_PYTHON_HTTP_POSTβ Python code block sends HTTP POST requestCode block in SKILL.md at line 194 contains potentially dangerous Python code. File:
SKILL.md:194Remediation: Review the code block for security implications. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ API Key Placeholder in API Reference DocumentationThe references/api_reference.md file also contains a hardcoded API key placeholder
"api_key": "sk-..."in the credential creation example. This reinforces an insecure pattern of embedding credentials directly in code. File:references/api_reference.mdRemediation: Update documentation examples to reference environment variables for API keys rather than inline values, even as placeholders. -
π‘ MEDIUM
MDBLOCK_PYTHON_HTTP_POSTβ Python code block sends HTTP POST requestCode block in references/configuration.md at line 116 contains potentially dangerous Python code. File:
references/configuration.md:116Remediation: Review the code block for security implications. -
π‘ MEDIUM
MDBLOCK_PYTHON_HTTP_POSTβ Python code block sends HTTP POST requestCode block in references/examples.md at line 17 contains potentially dangerous Python code. File:
references/examples.md:17Remediation: Review the code block for security implications. -
π‘ MEDIUM
MDBLOCK_PYTHON_HTTP_POSTβ Python code block sends HTTP POST requestCode block in references/examples.md at line 98 contains potentially dangerous Python code. File:
references/examples.md:98Remediation: Review the code block for security implications. -
π‘ MEDIUM
MDBLOCK_PYTHON_HTTP_POSTβ Python code block sends HTTP POST requestCode block in references/examples.md at line 136 contains potentially dangerous Python code. File:
references/examples.md:136Remediation: Review the code block for security implications. -
π‘ MEDIUM
MDBLOCK_PYTHON_HTTP_POSTβ Python code block sends HTTP POST requestCode block in references/examples.md at line 182 contains potentially dangerous Python code. File:
references/examples.md:182Remediation: Review the code block for security implications. -
π‘ MEDIUM
MDBLOCK_PYTHON_HTTP_POSTβ Python code block sends HTTP POST requestCode block in references/examples.md at line 231 contains potentially dangerous Python code. File:
references/examples.md:231Remediation: Review the code block for security implications. -
π‘ MEDIUM
MDBLOCK_PYTHON_HTTP_POSTβ Python code block sends HTTP POST requestCode block in references/examples.md at line 277 contains potentially dangerous Python code. File:
references/examples.md:277Remediation: Review the code block for security implications. -
π΅ LOW
LLM_RESOURCE_ABUSEβ Unbounded Polling Loop in Source ProcessingThe
wait_for_processingfunction in scripts/source_ingestion.py implements a polling loop with a configurable timeout (default 300s), but the timeout is only enforced by elapsed time tracking. If the server is slow or unresponsive, the loop could consume resources for up to 5 minutes per source. Additionally, there is no exponential backoff, meaning it will hammer the server with requests every 5 seconds. File:scripts/source_ingestion.py:47Remediation: Add exponential backoff to the polling loop to reduce server load. Consider also adding a maximum retry count in addition to the timeout.
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ Missing License and Compatibility MetadataThe skill manifest does not specify a license or compatibility field. While not a direct security threat, missing provenance metadata reduces auditability and trust assessment for the skill package. File:
SKILL.mdRemediation: Add a valid SPDX license identifier (e.g., 'MIT') and specify compatibility (e.g., 'Claude.ai, Claude Code, API') in the YAML frontmatter. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Referenced Files Not Found (ete3.py, matplotlib.py)The SKILL.md instructions reference 'ete3.py' and 'matplotlib.py' as files, but these files are not present in the skill package. These appear to be misidentified Python library imports rather than actual skill files. However, if these were intended as local instruction files, their absence could indicate incomplete packaging or a potential for future injection if the files are later added with malicious content. File:
SKILL.mdRemediation: Verify that these references are not intended as local instruction files. If they are library imports, remove them from the referenced files list. Ensure the skill package is complete and all referenced files are present. -
π΅ LOW
LLM_UNAUTHORIZED_TOOL_USEβ Missing allowed-tools DeclarationThe skill does not declare an 'allowed-tools' field in its YAML manifest. While this field is optional, the skill executes Bash subprocesses (mafft, iqtree2, FastTree) and Python code. Declaring allowed tools would help constrain the agent's tool usage and improve security posture. File:
SKILL.mdRemediation: Add 'allowed-tools: [Bash, Python]' to the YAML frontmatter to explicitly declare the tools this skill requires. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned External DependenciesThe skill installs bioconda packages (mafft, iqtree, fasttree) and pip packages (ete3) without version pinning. Unpinned dependencies are vulnerable to supply chain attacks where a malicious package version could be installed. File:
SKILL.md:18Remediation: Pin all dependencies to specific versions (e.g., 'conda install -c bioconda mafft=7.520 iqtree=2.2.6'). Consider using a conda environment file (environment.yml) with locked versions. -
π‘ MEDIUM
MDBLOCK_PYTHON_SUBPROCESSβ Python code block executes shell commandsCode block in SKILL.md at line 67 contains potentially dangerous Python code. File:
SKILL.md:67Remediation: Review the code block for security implications. -
π‘ MEDIUM
MDBLOCK_PYTHON_SUBPROCESSβ Python code block executes shell commandsCode block in SKILL.md at line 100 contains potentially dangerous Python code. File:
SKILL.md:100Remediation: Review the code block for security implications. -
π‘ MEDIUM
MDBLOCK_PYTHON_SUBPROCESSβ Python code block executes shell commandsCode block in SKILL.md at line 143 contains potentially dangerous Python code. File:
SKILL.md:143Remediation: Review the code block for security implications. -
π‘ MEDIUM
MDBLOCK_PYTHON_SUBPROCESSβ Python code block executes shell commandsCode block in SKILL.md at line 198 contains potentially dangerous Python code. File:
SKILL.md:198Remediation: Review the code block for security implications.
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ Missing License and Compatibility MetadataThe skill manifest does not specify a license or compatibility information. The license is listed as 'Unknown' and compatibility is 'Not specified'. For a skill that accesses and processes potentially sensitive biomedical data, the absence of clear licensing terms creates ambiguity about data usage rights and redistribution. Additionally, the skill references PrimeKG data from Harvard MIMS without clearly attributing the original data license (CC BY 4.0). File:
SKILL.mdRemediation: Add explicit license information (e.g., MIT for the skill code, with a note about PrimeKG's CC BY 4.0 data license) and specify compatibility requirements (e.g., Python version, OS requirements, WSL dependency). -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools DeclarationThe skill manifest does not declare an 'allowed-tools' field. The skill executes Python code and performs file I/O operations on large datasets. Without an explicit allowed-tools declaration, the agent has no manifest-level constraint on what tools this skill may use, reducing transparency about the skill's intended operational scope. File:
SKILL.mdRemediation: Add an explicit 'allowed-tools' field to the YAML frontmatter, e.g., 'allowed-tools: [Python, Read]' to document the intended tool usage and help agents enforce appropriate restrictions. -
π΅ LOW
LLM_RESOURCE_ABUSEβ Repeated Full CSV Load on Every Function Call - Potential Resource ExhaustionThe _load_kg() helper function is called inside every public function (search_nodes, get_neighbors, find_paths, get_disease_context). Each call reads the entire 4-million-edge CSV file from disk into memory. Since get_disease_context calls both search_nodes and get_neighbors internally, a single user query triggers at least two full loads of a very large file. This can cause significant memory pressure and slow response times, and could be exploited by repeatedly invoking the skill to exhaust system memory or I/O resources. File:
scripts/query_primekg.pyRemediation: Implement module-level caching (e.g., a global variable with lazy initialization, or use functools.lru_cache) so the CSV is loaded only once per session. This reduces memory pressure and prevents resource exhaustion from repeated calls. -
π‘ MEDIUM
LLM_DATA_EXFILTRATIONβ Hardcoded Absolute Path Exposing Developer's Local Filesystem StructureThe skill hardcodes an absolute path to a specific user's local filesystem in both the SKILL.md instructions and the Python script. The path 'C:\Users\eamon\Documents\Data\PrimeKG\kg.csv' (Windows) and '/mnt/c/Users/eamon/Documents/Data/PrimeKG/kg.csv' (WSL) reveals the developer's username ('eamon') and personal directory structure. This is a privacy/information disclosure issue and indicates the skill was not properly sanitized before distribution. On other users' machines, this hardcoded path will fail unless they happen to have the same directory structure, making the skill non-functional by default. File:
scripts/query_primekg.py:7Remediation: Replace the hardcoded path with a configurable path using an environment variable (e.g., os.environ.get('PRIMEKG_DATA_PATH', 'kg.csv')) or a relative path within the skill package. Document the required setup in the README.
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ Missing License and Compatibility MetadataThe skill has no license specified (listed as 'Unknown') and no compatibility information. This missing provenance information makes it difficult to assess the trustworthiness and intended deployment context of the skill. While not a direct security threat, missing metadata reduces transparency and accountability. File:
SKILL.mdRemediation: Add a valid SPDX license identifier (e.g., MIT, Apache-2.0) and specify compatibility information to improve transparency and provenance tracking. -
π΅ LOW
LLM_RESOURCE_ABUSEβ Retry Logic Without Maximum Backoff CapThe error handling example in SKILL.md implements exponential backoff for retries but does not cap the maximum backoff time. For server errors (HTTP 5xx), the backoff is 2^attempt seconds, which for max_retries=3 is only 4 seconds maximum. However, for rate limit errors (HTTP 429), it sleeps for the full Retry-After value without any cap, which could be arbitrarily large if a malicious or misconfigured server returns a very large Retry-After header value. File:
SKILL.mdRemediation: Cap the Retry-After sleep value to a reasonable maximum (e.g., max 300 seconds). Validate that the Retry-After header value is within expected bounds before sleeping. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Over-Broad Capability Description Enabling Excessive ActivationThe skill description is extremely broad, covering protocol discovery, collaborative development, experiment tracking, lab protocol management, scientific documentation, workspace organization, file management, and more. This over-broad description increases the likelihood of the skill being activated in a wide range of scenarios, some of which may not require its full capabilities. The description lists many trigger keywords that could cause the agent to invoke this skill unnecessarily. File:
SKILL.mdRemediation: Narrow the description to the core use case. Avoid listing exhaustive trigger keywords in the description field. Use a concise, specific description that accurately reflects the primary purpose. -
π‘ MEDIUM
MDBLOCK_PYTHON_HTTP_POSTβ Python code block sends HTTP POST requestCode block in SKILL.md at line 283 contains potentially dangerous Python code. File:
SKILL.md:283Remediation: Review the code block for security implications. -
π‘ MEDIUM
MDBLOCK_PYTHON_HTTP_POSTβ Python code block sends HTTP POST requestCode block in SKILL.md at line 310 contains potentially dangerous Python code. File:
SKILL.md:310Remediation: Review the code block for security implications. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Token Handling Guidance May Lead to Insecure PracticesThe skill's instructions and reference files repeatedly use placeholder patterns like 'YOUR_ACCESS_TOKEN' in code examples without sufficient emphasis on secure token storage mechanisms. While the best practices section mentions not storing tokens in code, the numerous inline examples showing tokens in headers could normalize insecure patterns for users implementing the skill. File:
references/authentication.mdRemediation: Add explicit warnings in code examples about not hardcoding tokens. Reference environment variable usage (e.g., os.environ.get('PROTOCOLS_IO_TOKEN')) in all Python examples rather than placeholder strings.
-
π΅ LOW
LLM_PROMPT_INJECTIONβ Multiple Referenced Files Not Found in Skill PackageThe SKILL.md references numerous files that are not present in the skill package: assets/integration.md, templates/policies.md, templates/training.md, assets/training.md, torch.py, templates/environments.md, pufferlib.py, assets/environments.md, assets/vectorization.md, assets/policies.md, templates/integration.md, gymnasium.py, templates/vectorization.md. The presence of torch.py, pufferlib.py, and gymnasium.py as referenced files is particularly notable - if these files were present, they could shadow legitimate Python modules (torch, pufferlib, gymnasium) and inject malicious code when imported. File:
SKILL.mdRemediation: Ensure all referenced files exist in the skill package. Investigate why torch.py, pufferlib.py, and gymnasium.py are referenced - if these files were to exist in the skill directory, they could shadow legitimate Python packages and represent a serious supply chain risk. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools Manifest FieldThe SKILL.md manifest does not specify the allowed-tools field. While this is optional per the agent skills spec, the skill executes Python scripts and Bash commands (CLI training, torchrun distributed training). Declaring allowed-tools would improve transparency about what agent capabilities this skill requires. File:
SKILL.mdRemediation: Add 'allowed-tools: [Python, Bash]' to the YAML frontmatter to explicitly declare the tools this skill uses. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned External Package InstallationThe SKILL.md installation instructions use 'uv pip install pufferlib' without a pinned version. This means the installed package version is not deterministic and could be subject to supply chain attacks if a malicious version is published to PyPI. The skill also references multiple third-party RL frameworks (gymnasium, pettingzoo, procgen, nethack, etc.) without version constraints. File:
SKILL.mdRemediation: Pin the package version explicitly: 'uv pip install pufferlib=='. Consider using a lockfile or hash verification for reproducible installs. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Potential Secret Exposure via Logger Config SerializationThe WandbLogger is initialized with config=vars(args), which serializes all parsed arguments including the neptune_token field. If neptune_token is populated, it will be uploaded to Weights & Biases as part of the experiment configuration, potentially exposing the secret to anyone with access to the W&B project. File:
scripts/train_template.py:152Remediation: Sanitize the args namespace before passing to config: create a copy of vars(args) and remove sensitive fields like neptune_token before serialization. -
π‘ MEDIUM
LLM_DATA_EXFILTRATIONβ Neptune API Token Passed via Command-Line ArgumentThe training script accepts a Neptune API token via the --neptune-token command-line argument and passes it directly to NeptuneLogger. While this is a common pattern, passing secrets as CLI arguments exposes them in process listings (ps aux), shell history, and system logs. The token is also stored in the parsed args namespace and could be logged if the config is serialized (e.g., via WandbLogger config=vars(args)). File:
scripts/train_template.py:161Remediation: Use environment variables (os.environ.get('NEPTUNE_API_TOKEN')) or a secrets manager instead of CLI arguments for API tokens. Remove the neptune_token from vars(args) before passing config to loggers.
-
π‘ MEDIUM
LLM_SKILL_DISCOVERY_ABUSEβ Over-Broad Capability Claims in Skill DescriptionThe skill description is extremely broad, claiming to handle a wide variety of healthcare AI tasks including EHR processing, clinical prediction, medical coding, physiological signals, multiple datasets, and deep learning models. While this may reflect the actual scope of the PyHealth library, the description functions as keyword baiting by listing numerous trigger terms (MIMIC-III/IV, eICU, OMOP, RETAIN, SafeDrug, Transformer, GNN, EEG, ECG, ICD, NDC, ATC) that could cause the skill to be invoked in a very wide range of contexts, potentially beyond its intended use. File:
SKILL.mdRemediation: Narrow the description to the core use case and avoid listing exhaustive keyword triggers. Provide a concise, accurate description of the skill's primary function without keyword baiting. -
π΅ LOW
LLM_HARMFUL_CONTENTβ Healthcare AI Skill Lacks Clinical Safety Disclaimers in InstructionsWhile the skill does include a 'Limitations and Considerations' section mentioning clinical validation, the instructions guide users through building clinical prediction models (mortality prediction, drug recommendation) without prominent safety disclaimers at the point of use. The skill could be used to build systems that influence clinical decisions, and the instructions do not sufficiently emphasize that outputs should not be used for direct clinical decision-making without proper validation and regulatory approval. File:
SKILL.mdRemediation: Add prominent safety disclaimers at the beginning of the SKILL.md instructions and at each clinical use case, clearly stating that models built with this skill are for research purposes only and must not be used for direct clinical decision-making without proper regulatory approval, clinical validation, and oversight. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing Compatibility and Version MetadataThe skill does not specify a compatibility field, and no version information is provided in the manifest. This makes it difficult to assess the skill's intended operating environment and could lead to unexpected behavior across different agent platforms. File:
SKILL.mdRemediation: Add compatibility and version fields to the YAML manifest to clearly define the intended operating environment and version constraints. -
π΅ LOW
LLM_UNAUTHORIZED_TOOL_USEβ Missing allowed-tools DeclarationThe skill does not declare an allowed-tools field in its YAML manifest. While this field is optional per the agent skills spec, its absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) can be used. Given that this skill references numerous internal files and could potentially execute Python code for healthcare ML workflows, declaring allowed-tools would improve security posture and limit the attack surface. File:
SKILL.mdRemediation: Add an explicit allowed-tools declaration to the YAML manifest. For a documentation/guidance skill like this, consider restricting to [Read] if no code execution is needed, or explicitly list [Read, Python] if Python execution is required for the ML workflows.
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools Manifest FieldThe SKILL.md YAML frontmatter does not specify the 'allowed-tools' field. The skill executes Python scripts and makes network calls to the Materials Project API. While this field is optional per the spec, its absence means there are no declared tool restrictions, which reduces transparency about the skill's actual capabilities (network access, file I/O, Python execution). File:
SKILL.mdRemediation: Add an explicit allowed-tools field to the YAML frontmatter listing the tools actually used, e.g.: allowed-tools: [Python, Bash]. This improves transparency and allows the agent runtime to enforce appropriate restrictions. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package DependenciesThe SKILL.md installation instructions use unpinned package versions (e.g., 'uv pip install pymatgen', 'uv pip install mp-api'). The version requirements in the skill only specify minimum versions (pymatgen >= 2023.x, mp-api without version pin). Unpinned dependencies can lead to supply chain risks if a malicious version is published to PyPI, or unexpected breakage from API changes. File:
SKILL.mdRemediation: Pin dependencies to specific known-good versions (e.g., pymatgen==2024.6.10, mp-api==0.41.2). Use a requirements.txt or pyproject.toml with exact version pins and hash verification where possible. -
π‘ MEDIUM
BEHAVIOR_ENV_VAR_HARVESTINGβ Environment variable harvesting detectedScript iterates through environment variables in scientific-skills/pymatgen/scripts/phase_diagram_generator.py File:
scientific-skills/pymatgen/scripts/phase_diagram_generator.pyRemediation: Remove environment variable collection unless explicitly required and documented -
π΅ LOW
LLM_DATA_EXFILTRATIONβ API Key Passed Explicitly to MPRester in ScriptIn phase_diagram_generator.py, the MP_API_KEY environment variable is retrieved and then passed explicitly as a positional argument to MPRester(api_key). While the key is sourced from an environment variable (which is acceptable practice), the explicit passing pattern and the static analyzer's cross-file env var exfiltration flag warrant review. The key is used legitimately for Materials Project API access, but the pattern of reading env vars and making network calls is flagged. In this context, the usage appears legitimate and intentional for the skill's stated purpose. File:
scripts/phase_diagram_generator.pyRemediation: This usage is legitimate for the skill's stated purpose. However, document clearly that MP_API_KEY is only used for Materials Project API calls. Consider validating the API key format before use. The SKILL.md already documents this requirement clearly.
-
π‘ MEDIUM
LLM_COMMAND_INJECTIONβ Files Named After Standard Python Libraries Could Shadow ImportsThe skill references files named sklearn.py and sksurv.py. If these files exist in the working directory when the agent executes Python code, they would shadow the legitimate scikit-learn and scikit-survival library imports, potentially causing import errors or, if the files contain malicious code, executing that code instead of the intended library functions. This is a Python module shadowing risk. File:
SKILL.mdRemediation: Remove references to sklearn.py and sksurv.py from the skill package. Never create files with names that shadow standard Python library packages. If these files are intended as helper scripts, rename them to avoid conflicts (e.g., sklearn_helpers.py, sksurv_utils.py). -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Missing allowed-tools DeclarationThe skill manifest does not declare an allowed-tools field. While this is optional per the spec, the skill instructs the agent to load and execute Python code examples and reference files. Without explicit tool restrictions, the agent may use broader tool access than necessary for a documentation/guidance skill. File:
SKILL.mdRemediation: Add an explicit allowed-tools declaration such as [Read] since this skill primarily provides guidance and reference documentation rather than executing code directly. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Over-Broad Capability Description in ManifestThe skill description is very broad and covers a wide range of survival analysis tasks. While this is largely accurate for the scikit-survival library, the description could trigger the skill for a wide variety of data science tasks beyond its intended scope. The description lists many specific model types and use cases that could cause the skill to be activated in contexts where simpler tools would suffice. File:
SKILL.mdRemediation: Narrow the description to focus on the primary use case and avoid listing every possible trigger keyword. This reduces the risk of unintended skill activation. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Multiple Referenced Files Not Found in PackageThe skill references numerous files that are not present in the package (sklearn.py, sksurv.py, assets/, templates/). This creates a fragmented and incomplete skill package. While not directly malicious, missing files could cause the agent to attempt to locate or fetch these files from external sources, or could indicate an incomplete/tampered package. File:
SKILL.mdRemediation: Ensure all referenced files are included in the skill package. Remove references to non-existent files or clarify that they are optional. Avoid referencing files named after well-known Python packages (sklearn.py, sksurv.py) as these names could shadow legitimate imports.
-
π‘ MEDIUM
LLM_DATA_EXFILTRATIONβ Static Analyzer Flags Cross-File Exfiltration Chain and Environment Variable AccessThe pre-scan static analysis flagged BEHAVIOR_ENV_VAR_EXFILTRATION (environment variable access combined with network calls), BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN (cross-file exfiltration chain across 2 files), and BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION (cross-file env var exfiltration across 2 files). The skill package inventory reports 6 Python files, but none were provided for review in the submitted content. The referenced 'vaex.py' file was listed as not found. These static findings suggest potentially malicious Python scripts exist in the package that were not surfaced for analysis. Without access to the flagged Python files, the full scope of the threat cannot be confirmed, but the combination of environment variable harvesting and network calls is a strong indicator of data exfiltration behavior. Remediation: Audit all 6 Python files in the package, particularly any that access os.environ, os.getenv, or environment variables alongside network calls (requests, urllib, http.client, socket, etc.). Remove any code that harvests credentials or environment variables and transmits them to external endpoints. Ensure vaex.py and all other scripts are reviewed before deployment.
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools MetadataThe skill manifest does not specify the 'allowed-tools' field. While this is optional per the agent skills spec, its absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) this skill may invoke. Given the skill's scope involves file I/O and data processing, documenting allowed tools would improve transparency. File:
SKILL.mdRemediation: Add an 'allowed-tools' field to the YAML frontmatter listing the tools this skill legitimately requires, e.g., allowed-tools: [Python, Read, Write]. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing Compatibility MetadataThe skill manifest does not specify the 'compatibility' field, leaving users without information about which environments (Claude.ai, Claude Code, API) this skill is designed to work with. This is a minor documentation gap. File:
SKILL.mdRemediation: Add a 'compatibility' field to the YAML frontmatter, e.g., compatibility: Claude Code, API.
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Overly Broad Skill Activation DescriptionThe skill description is very broad and contains extensive trigger conditions designed to maximize activation across a wide range of user requests involving spreadsheets. While this appears to be a legitimate productivity skill, the description includes aggressive trigger language ('Trigger especially when...', 'even casually') that could cause the skill to activate in more scenarios than strictly necessary, potentially processing sensitive user files unexpectedly. File:
SKILL.mdRemediation: Narrow the activation criteria to be more precise and less aggressive. Avoid language that encourages activation on casual or ambiguous references to spreadsheet files. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Missing Version Pins on Implicit DependenciesThe skill relies on several third-party Python packages (openpyxl, pandas, defusedxml, lxml) without specifying pinned versions in the skill package. The SKILL.md instructions reference these libraries directly. Unpinned dependencies are vulnerable to supply chain attacks where a malicious version of a package could be installed. The skill also references 'openpyxl.py' as a referenced file that was not found, suggesting possible confusion between the library and a local file. File:
SKILL.mdRemediation: Include a requirements.txt or pyproject.toml with pinned dependency versions (e.g., openpyxl==3.1.2, pandas==2.1.0, defusedxml==0.7.1, lxml==4.9.3). This prevents supply chain attacks via dependency version hijacking. -
π‘ MEDIUM
LLM_COMMAND_INJECTIONβ Dynamic Shared Library Compilation and LD_PRELOAD InjectionThe soffice.py script dynamically compiles a C shared library from an embedded source string (_SHIM_SOURCE) using gcc, writes it to the system temp directory, and then injects it via LD_PRELOAD into LibreOffice subprocess calls. While the stated purpose is to work around AF_UNIX socket restrictions in sandboxed environments, this pattern is a classic technique for code injection and privilege escalation. The compiled shim intercepts socket(), listen(), accept(), and close() system calls. If the _SHIM_SOURCE string were ever modified (e.g., via supply chain compromise or indirect injection), arbitrary code could be executed with LD_PRELOAD privileges. File:
scripts/office/soffice.pyRemediation: 1. Add integrity verification (e.g., hash check) of the compiled shim before use. 2. Consider whether this shim is strictly necessary or if there are safer alternatives. 3. Ensure the temp directory is not world-writable or use a more secure location. 4. Check if _SHIM_SO already exists before trusting it (currently it does, but without integrity verification). -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Environment Variable Access in soffice.pyThe soffice.py script calls os.environ.copy() to copy the entire environment and passes it to subprocess calls running LibreOffice. While this is a common and generally legitimate pattern for subprocess execution, it means all environment variables (which may include secrets, API keys, tokens, etc.) are passed to the LibreOffice process. The static analyzer flagged this as a potential env var exfiltration chain across files. In context, this appears to be legitimate behavior needed for LibreOffice to function, but it is worth noting. File:
scripts/office/soffice.pyRemediation: Consider filtering the environment to only pass variables required by LibreOffice rather than copying the entire environment. Document which environment variables are needed and explicitly include only those. -
π΅ LOW
LLM_UNAUTHORIZED_TOOL_USEβ LibreOffice Macro Installation Without User ConsentThe recalc.py script automatically installs a LibreOffice macro (RecalculateAndSave) into the user's LibreOffice configuration directory (~/.config/libreoffice or ~/Library/Application Support/LibreOffice) without explicit user notification or consent. This modifies the user's system configuration as a side effect of running the skill. File:
scripts/recalc.pyRemediation: Inform the user before modifying their LibreOffice configuration. Add a check or prompt before writing to system configuration directories. Document this behavior clearly in the skill description.
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ Missing License and Compatibility MetadataThe skill does not specify a license or compatibility field in the YAML manifest. While these are optional fields, their absence reduces transparency about the skill's intended deployment environment and usage rights. The author field is present (K-Dense, Inc.) but without a license, users cannot determine redistribution or usage rights. File:
SKILL.mdRemediation: Add license (e.g., MIT, Apache-2.0) and compatibility fields to the YAML manifest to improve transparency and help users understand where the skill is intended to be used. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Referenced File adaptyv.py Not Found in PackageThe skill instructions reference
adaptyv.pyas a file within the package, but this file was not found. Missing referenced files could indicate an incomplete package or that the agent may attempt to locate or execute a file that does not exist, potentially leading to unexpected behavior or errors. File:SKILL.mdRemediation: Ensure all referenced files are included in the skill package. If adaptyv.py is optional, document this clearly in the instructions. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Over-Broad Skill Activation Triggers in DescriptionThe skill description includes an extensive list of activation triggers including specific import statements (
adaptyv,adaptyv_sdk,FoundryClient), domain references (foundry-api-public.adaptyvbio.com), and broad assay terminology. While this is a legitimate API integration skill, the breadth of keyword triggers could cause the skill to activate in contexts where it is not needed, potentially interfering with other skills or workflows. File:SKILL.mdRemediation: Narrow the activation triggers to the most specific and unambiguous terms. Avoid triggering on generic scientific terminology like 'protein binding assays' that may appear in unrelated contexts.
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ Multiple Referenced Files Not Found in PackageThe skill references numerous files across 'assets/', 'templates/', and some 'references/' paths that are not present in the package (e.g., assets/similarity_search.md, templates/regression.md, sklearn.py, matplotlib.py, aeon.py). While most of these appear to be documentation stubs, the presence of references to non-existent files like 'sklearn.py', 'matplotlib.py', and 'aeon.py' is unusual. If these were intended to be executable scripts, their absence could indicate an incomplete or tampered package. File:
SKILL.mdRemediation: Audit the skill package to ensure all referenced files are present and accounted for. Remove references to files that do not exist or are not needed. Investigate the purpose of 'sklearn.py', 'matplotlib.py', and 'aeon.py' references β if these are meant to be scripts, they should be included and reviewed for security. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools MetadataThe skill does not specify the 'allowed-tools' field in its YAML frontmatter. While this field is optional per the agent skills spec, its absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) can be used. This is informational only. File:
SKILL.mdRemediation: Consider adding an 'allowed-tools' field to the YAML frontmatter to explicitly declare which tools this skill requires, improving transparency and enabling tool restriction enforcement. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing Compatibility MetadataThe skill does not specify the 'compatibility' field in its YAML frontmatter. This is informational only and does not represent a security risk, but reduces transparency about where the skill is intended to operate. File:
SKILL.mdRemediation: Add a 'compatibility' field to the YAML frontmatter to clarify which platforms or environments this skill is designed for. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package InstallationThe skill instructs installation of the 'aeon' package without a pinned version number. This means any future version of the package could be installed, including potentially compromised versions. While this is a common practice, it introduces supply chain risk. File:
SKILL.mdRemediation: Pin the package to a specific known-good version, e.g., 'uv pip install aeon==0.10.0', and consider verifying package integrity via hash checking.
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools Manifest FieldThe skill does not declare an 'allowed-tools' field in its YAML frontmatter. While this field is optional per the agent skills specification, its absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) can be invoked. For a data-handling skill that reads and writes files, declaring allowed tools improves transparency and auditability. File:
SKILL.mdRemediation: Add an 'allowed-tools' field to the YAML frontmatter listing the tools actually needed, e.g., 'allowed-tools: [Python, Read, Write]'. This improves security posture and makes the skill's capabilities explicit. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing Compatibility Field in ManifestThe skill does not specify a 'compatibility' field in its YAML frontmatter. This is a minor documentation gap that reduces transparency about which environments the skill is designed to operate in. File:
SKILL.mdRemediation: Add a 'compatibility' field to the YAML frontmatter, e.g., 'compatibility: Claude.ai, Claude Code, API'. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package Installation in InstructionsThe installation instructions use 'uv pip install anndata' without pinning to a specific version. This means the skill could install a different (potentially compromised or incompatible) version of the package at any time, introducing supply chain risk. File:
SKILL.md:18Remediation: Pin the package to a specific known-good version, e.g., 'uv pip install anndata==0.10.x'. Consider also pinning key dependencies like scipy, numpy, and pandas. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Remote Data Access Pattern Without Security GuidanceThe io_operations reference file documents reading data directly from remote URLs (S3, HTTPS) using fsspec and urllib.request.urlretrieve without any guidance on validating the source, checking TLS certificates, or sanitizing the downloaded content. While this is standard library usage, the skill provides no security guidance around these patterns. File:
references/io_operations.mdRemediation: Add a note in the documentation advising users to only load data from trusted sources, verify URLs before use, and be cautious about loading h5ad/zarr files from untrusted origins as these binary formats could potentially contain malicious payloads.
- π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing compatibility and allowed-tools metadataThe skill manifest does not specify 'compatibility' or 'allowed-tools' fields. While these are optional per the agent skills spec, their absence means there is no declared scope of tool usage or platform compatibility, making it harder to audit the skill's intended behavior boundaries. File:
SKILL.mdRemediation: Add 'compatibility' and 'allowed-tools' fields to the YAML frontmatter to explicitly declare the intended execution environment and permitted tools (e.g., allowed-tools: [Python, Bash]).
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Over-Broad Capability Description May Trigger Unnecessary ActivationThe skill description is very broad and comprehensive, listing many trigger conditions including 'coordinate transformations, unit conversions, FITS file manipulation, cosmological distance calculations, time scale conversions, or astronomical data processing.' While this accurately reflects astropy's capabilities, the breadth of the description could cause the skill to be activated for a wide range of astronomy-related queries, even when simpler solutions might suffice. This is a minor concern and not a significant threat. File:
SKILL.mdRemediation: Consider narrowing the activation criteria to more specific use cases where astropy is genuinely required, rather than listing all possible astronomy topics. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools Manifest FieldThe SKILL.md manifest does not specify the 'allowed-tools' field. While this field is optional per the agent skills specification, its absence means there are no declared restrictions on which agent tools this skill can use. Given that astropy workflows involve reading FITS files, writing output files, and executing Python code, declaring the expected tools would improve transparency and security posture. File:
SKILL.mdRemediation: Add an explicit 'allowed-tools' field to the YAML frontmatter listing the tools actually needed, such as [Python, Read, Write] to make the skill's intended capabilities clear. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package InstallationThe installation instructions use 'uv pip install astropy' and 'uv pip install astropy[all]' without specifying a version pin. This means the installed version could change over time, potentially introducing breaking changes or, in a supply chain attack scenario, a compromised version. While astropy is a well-maintained, reputable package, unpinned installations are a general best practice concern. File:
SKILL.mdRemediation: Pin the astropy version in installation instructions, e.g., 'uv pip install astropy==6.1.0'. Consider also pinning optional dependencies when using astropy[all]. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ External Network Access for Named Object Lookup and Observatory DataThe skill instructions and reference files document functionality that makes network requests, including SkyCoord.from_name() for querying online catalogs (e.g., Simbad/NED), EarthLocation.of_site() for observatory lookups, EarthLocation.of_address() for geocoding, and download_file() for downloading remote FITS files. While these are legitimate astropy features, they involve outbound network connections that could expose user data or be used to fetch untrusted content. The download_file() utility in wcs_and_other_modules.md explicitly downloads from arbitrary URLs. File:
references/wcs_and_other_modules.mdRemediation: Document clearly in the skill that network-dependent features (from_name, of_site, of_address, download_file) require internet access and may send query data to external services. Advise users to validate URLs before passing them to download_file().
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ Missing License InformationThe skill manifest does not specify a license. While not a direct security threat, this is a missing metadata field that could affect trust and provenance assessment of the skill package. File:
SKILL.mdRemediation: Add a proper license field to the YAML frontmatter (e.g., 'license: MIT') to improve transparency and provenance. -
π΅ LOW
LLM_PROMPT_INJECTIONβ Several Referenced Files Not Found in Skill PackageThe skill references multiple files (assets/sdk_reference.md, benchling_sdk.py, templates/authentication.md, assets/authentication.md, templates/sdk_reference.md, Bio.py) that are not present in the skill package. While this is not an active threat, missing referenced files could lead the agent to seek these resources from external or user-provided sources, potentially introducing indirect prompt injection risk if the agent attempts to resolve them from untrusted locations. File:
SKILL.mdRemediation: Ensure all referenced files are included in the skill package, or remove references to files that do not exist. Do not allow the agent to substitute missing internal files with externally sourced content. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools DeclarationThe skill does not declare an 'allowed-tools' field in the YAML manifest. While this field is optional per the agent skills spec, its absence means there are no declared restrictions on which agent tools this skill can invoke, reducing transparency about the skill's intended scope. File:
SKILL.mdRemediation: Add an explicit 'allowed-tools' field to the YAML frontmatter to document which tools the skill is expected to use (e.g., allowed-tools: [Python, Bash]). -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package Installation InstructionsThe skill's SDK reference documentation recommends installing the benchling-sdk package without pinning to a specific version (e.g., 'pip install benchling-sdk' or 'poetry add benchling-sdk'). Unpinned dependencies are susceptible to supply chain attacks where a malicious version could be published and automatically installed. File:
references/sdk_reference.mdRemediation: Pin the dependency to a specific known-good version (e.g., 'pip install benchling-sdk==X.Y.Z') and verify package integrity using hash verification. Avoid installing pre-release versions in production.
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing License InformationThe skill manifest declares 'license: Unknown', which provides no provenance information for users or organizations evaluating the skill for deployment. While not a direct security threat, unknown licensing can indicate unvetted or improperly attributed code. File:
SKILL.mdRemediation: Specify the actual license (e.g., MIT, Apache 2.0) or remove the field if not applicable. Ensure the skill author (K-Dense Inc.) clarifies licensing terms. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing Compatibility and Allowed-Tools MetadataThe skill does not specify 'compatibility' or 'allowed-tools' in its YAML manifest. While these fields are optional per the spec, their absence means there are no declared restrictions on tool usage, and users cannot easily assess deployment compatibility. The skill instructs use of Bash (grep commands) and Python execution, which are not declared. File:
SKILL.mdRemediation: Add 'allowed-tools: [Python, Bash, Read, Grep]' and a compatibility field to the manifest to clearly document intended tool usage and deployment environments. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package Installation InstructionThe skill instructs users to install biopython via 'uv pip install biopython' without specifying a version pin. This exposes users to supply chain risks where a compromised or malicious future version of biopython could be installed. The skill itself claims to be for Biopython 1.85 but does not enforce this in the install command. File:
SKILL.mdRemediation: Pin the package version in the install instruction: 'uv pip install biopython==1.85'. This ensures reproducibility and reduces supply chain risk from unexpected version upgrades.
-
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Missing License InformationThe skill manifest does not specify a license. This is a minor provenance concern as users cannot determine the terms under which the skill is distributed or used. File:
SKILL.mdRemediation: Add a valid SPDX license identifier (e.g., 'MIT', 'Apache-2.0') to the YAML frontmatter. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Missing Compatibility and Allowed-Tools MetadataThe skill does not specify 'compatibility' or 'allowed-tools' fields in the YAML manifest. While these are optional, their absence means there are no declared restrictions on tool usage, and users cannot determine which environments the skill is designed for. This is informational only. File:
SKILL.mdRemediation: Add 'compatibility' and 'allowed-tools' fields to the YAML frontmatter to document intended usage environments and tool restrictions. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Several Referenced Files Not Found in Skill PackageThe skill instructions reference multiple files that are not present in the skill package: cellxgene_census.py, assets/common_patterns.md, tiledbsoma.py, templates/census_schema.md, scanpy.py, templates/common_patterns.md, assets/census_schema.md. While references/common_patterns.md and references/census_schema.md are present, the missing files could indicate an incomplete package or broken references. This is a minor integrity concern. File:
SKILL.mdRemediation: Ensure all referenced files are included in the skill package, or remove references to non-existent files from the instructions. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package Installation InstructionsThe skill instructs users to install packages using 'uv pip install cellxgene-census' and 'uv pip install cellxgene-census[experimental]' without specifying version pins. This could expose users to supply chain risks if a malicious version of the package is published or if a breaking/insecure update is released. File:
SKILL.mdRemediation: Pin the package to a specific known-good version, e.g., 'uv pip install cellxgene-census==1.x.y', and document the tested version in the skill manifest.
- π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools and compatibility metadataThe skill manifest does not specify 'allowed-tools' or 'compatibility' fields. While these are optional per the agent skills spec, their absence means there are no declared restrictions on what tools the agent may use when executing this skill. Given the skill's scope (distributed computing, file I/O, network cluster connections), documenting intended tool usage would improve transparency. File:
SKILL.mdRemediation: Add 'allowed-tools' and 'compatibility' fields to the YAML frontmatter to document intended tool restrictions and supported environments.
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ API Keys Read from Environment Variables and .env FilesThe skill instructs the agent to read API keys from environment variables (e.g., $FRED_API_KEY, $NASA_API_KEY, etc.) and from a .env file in the current working directory. While this is a common and generally acceptable pattern for credential management, the skill accesses a large number of sensitive credentials (18+ API keys) from the environment. The static analyzer flagged 'BEHAVIOR_ENV_VAR_EXFILTRATION' and 'BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION', indicating that environment variable access is combined with network calls. In a legitimate skill, these keys are used to authenticate to the listed public APIs. However, the pattern of reading many environment variables and then making network calls is worth noting as a potential risk surface if the skill were modified maliciously. File:
SKILL.mdRemediation: This pattern is acceptable for legitimate use. Ensure the .env file is not world-readable and that API keys are scoped to the minimum necessary permissions. Users should audit which environment variables are present before running this skill. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Missing License and Compatibility MetadataThe skill does not specify a license or compatibility field in the YAML manifest. While this is a LOW severity informational finding per the skill spec (these fields are optional), the absence of license information is notable given that the skill accesses commercial and restricted APIs (DrugBank requires paid license, COSMIC requires registration, BRENDA requires registration). Users may inadvertently violate terms of service. File:
SKILL.mdRemediation: Add license and compatibility metadata to the YAML frontmatter. Document any API terms-of-service restrictions, particularly for DrugBank (paid), COSMIC (registration required), and BRENDA (registration required). -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Overly Broad Capability Claims in DescriptionThe skill description claims to cover 78 databases across an extremely wide range of domains (physics, astronomy, earth sciences, chemistry, biology, genomics, disease, clinical, regulatory, economics, finance, demographics). While the skill does appear to implement these capabilities through reference files, the breadth of the description ('Use when looking up compounds, genes, proteins, pathways, variants, clinical trials, patents, economic indicators, or any public database API query') could cause the skill to be activated for nearly any information lookup query, potentially displacing more targeted skills or causing over-activation. File:
SKILL.mdRemediation: Consider narrowing the activation description to be more specific about the types of queries this skill is best suited for, rather than claiming it should be used for 'any public database API query'.
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ Missing allowed-tools DeclarationThe skill does not declare an 'allowed-tools' field in its YAML manifest. While this is optional per the agent skills spec, it means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) can be used. The scripts execute Python code, load files, and interact with external services (HuggingFace model downloads), so documenting tool usage would improve transparency. File:
SKILL.mdRemediation: Add an 'allowed-tools' field to the YAML frontmatter listing the tools actually used, e.g., allowed-tools: [Python, Bash, Read, Write] -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package Installation InstructionsThe skill instructs users to install deepchem without version pinning (e.g., 'uv pip install deepchem', 'uv pip install deepchem[torch]', 'uv pip install deepchem[all]'). Unpinned installations are vulnerable to supply chain attacks where a compromised or malicious package version could be installed. Additionally, the scripts import deepchem and other libraries without version validation. File:
SKILL.mdRemediation: Pin package versions explicitly, e.g., 'uv pip install deepchem==2.7.1'. Consider adding a requirements.txt with pinned versions and hashes for reproducibility and supply chain security. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ User-Provided File Paths Passed Directly to LoadersIn all three scripts, user-supplied file paths (--data, --smiles-col, --target-col arguments) are passed directly to DeepChem's CSVLoader without path validation or sanitization. While this is standard Python behavior and not a direct exfiltration risk, it could allow path traversal to read arbitrary CSV files on the filesystem if the agent passes user-controlled input to these scripts. File:
scripts/predict_solubility.py:100Remediation: Add input validation to ensure data_path is within expected directories. Consider using pathlib.Path to resolve and validate paths before passing them to loaders. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ External Model Downloads from HuggingFace HubThe transfer_learning.py script downloads pretrained models from HuggingFace Hub (e.g., 'seyonec/ChemBERTa-zinc-base-v1', 'ibm/MoLFormer-XL-both-10pct', 'Rostlab/prot_bert') at runtime without integrity verification. If these model repositories are compromised or the model IDs are typosquatted, malicious model weights could be downloaded and executed. The GROVER model also writes to a local directory './grover_pretrained'. File:
scripts/transfer_learning.py:37Remediation: Document the expected model checksums/hashes. Consider pinning specific model revisions using HuggingFace's 'revision' parameter. Warn users that model downloads occur and advise verifying model provenance before use.
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools Manifest FieldThe SKILL.md manifest does not specify the 'allowed-tools' field. While this is an optional field per the agent skills spec, its absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) this skill may use. The skill executes Python scripts and generates bash scripts, so documenting tool usage would improve transparency. File:
SKILL.mdRemediation: Add an 'allowed-tools' field to the YAML frontmatter listing the tools actually used, e.g., 'allowed-tools: [Bash, Python, Read, Write]'. This improves auditability and helps users understand the skill's capabilities. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing Compatibility FieldThe SKILL.md manifest does not specify the 'compatibility' field. This is a minor documentation gap that reduces transparency about where the skill is intended to be used. File:
SKILL.mdRemediation: Add a 'compatibility' field to the YAML frontmatter specifying supported environments (e.g., 'Claude.ai, Claude Code, API').
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ External Data Download Without Integrity VerificationThe skill instructs downloading large data files from external URLs (figshare.com, depmap.org) using a streaming download function with no checksum verification, signature validation, or integrity checks. A compromised or man-in-the-middle response could deliver malicious CSV data that gets loaded into pandas DataFrames and processed by the agent. File:
SKILL.mdRemediation: Add checksum verification (SHA256) after download. Compare against known-good hashes published by DepMap. Use HTTPS strictly and consider pinning expected file sizes or hashes for each versioned release. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Static Analysis Flags Cross-File Exfiltration Chain and Environment Variable AccessThe pre-scan static analysis detected BEHAVIOR_ENV_VAR_EXFILTRATION (environment variable access combined with network calls) and BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN across 2 files. While no explicit script files were provided for review, the skill package reportedly contains 10 Python files that were not surfaced in the analysis. These static findings warrant investigation of the unreported Python files for credential harvesting or data exfiltration patterns. File:
SKILL.mdRemediation: Audit all 10 Python files in the skill package for environment variable access (os.environ, os.getenv) combined with outbound network calls. Ensure no credentials or environment data are transmitted to external endpoints. The discrepancy between reported Python file count and 'no script files found' should be investigated. -
π΅ LOW
LLM_PROMPT_INJECTIONβ External Data Sources Loaded Into Agent Context Without SanitizationThe skill downloads and loads CSV files from external sources (DepMap portal, figshare) directly into pandas DataFrames that are then processed and interpreted by the agent. Maliciously crafted CSV content (e.g., cells containing instruction-like text) could potentially influence agent behavior when the data is summarized or displayed. This is a low-severity indirect prompt injection risk via external data. File:
SKILL.mdRemediation: Treat all externally downloaded data as untrusted. Validate column names and cell values against expected schemas before presenting to the agent. Sanitize string fields that may be rendered in agent output. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned External Dependencies and Incomplete Download URLThe skill references external packages (requests, pandas, scipy, numpy) without version pinning. Additionally, the figshare download URL is incomplete (placeholder '...'). Unpinned dependencies are vulnerable to supply chain attacks where a malicious package version could be installed. The incomplete URL also suggests the skill may not be fully validated. File:
SKILL.mdRemediation: Pin all dependency versions (e.g., requests==2.31.0, pandas==2.1.0). Complete and validate all download URLs. Consider using a requirements.txt with hashed dependencies.
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools Manifest FieldThe SKILL.md manifest does not specify the 'allowed-tools' field. While this field is optional per the agent skills spec, the skill executes Python scripts and Bash commands (git clone, docker pull, conda, python -m inference, gnina, etc.), so documenting the required tools would improve transparency and security posture. File:
SKILL.mdRemediation: Add 'allowed-tools: [Python, Bash, Read, Write]' to the YAML frontmatter to explicitly declare the tools this skill requires. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing Compatibility Field in ManifestThe SKILL.md manifest does not specify the 'compatibility' field. Given that the skill requires GPU hardware, CUDA, and specific Python packages, documenting compatibility constraints would help users understand the environment requirements. File:
SKILL.mdRemediation: Add a 'compatibility' field specifying required environment (e.g., GPU with CUDA, Linux/macOS, specific Python version).
-
π΅ LOW
LLM_COMMAND_INJECTIONβ eval/exec Usage in Code Examples (Static Analyzer Flag)The static analyzer flagged a Python eval/exec usage in the skill's code blocks. After reviewing all code in SKILL.md and the referenced files (api_reference.md, workflows.md, visualization.md), no actual use of eval() or exec() with user-controlled input was found. The flag appears to be a false positive from pattern matching on documentation text. All code examples use standard ETE3 library calls without dynamic code execution. This is noted as LOW severity for awareness. File:
SKILL.mdRemediation: No action required. The static analyzer finding appears to be a false positive. Continue to avoid eval/exec with user-controlled input in any future script additions. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ NCBI Taxonomy Database Download to Home DirectoryThe skill automatically downloads ~300MB of NCBI taxonomy data to ~/.etetoolkit/taxa.sqlite on first use of NCBITaxa. While this is standard ETE3 behavior and not malicious, users should be aware that the skill initiates a network download to a fixed home directory path without explicit user confirmation beyond the initial NCBITaxa() call. This is a minor transparency concern rather than a security threat. File:
SKILL.mdRemediation: Document clearly in skill description that first use of NCBI taxonomy features will download ~300MB to ~/.etetoolkit/. Consider prompting user for confirmation before initiating the download in any wrapper scripts. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package InstallationThe installation instructions use 'uv pip install ete3' and 'uv pip install ete3[gui]' without version pinning. This means the skill will install whatever the latest version of ete3 is at install time, which could introduce breaking changes or supply chain risks if the package is compromised. This is a minor supply chain hygiene concern. File:
SKILL.mdRemediation: Pin the ete3 package to a specific known-good version, e.g., 'uv pip install ete3==3.1.3'. Document the tested version in the skill manifest.
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Over-Broad Capability Claims in Skill DescriptionThe skill description claims support for '200+ file formats' across six major scientific domains. The actual implementation in eda_analyzer.py only performs substantive data analysis for a small subset (CSV, TSV, NPY, NPZ, JSON, HDF5, FASTA, FASTQ, TIFF/PNG/JPG). For the vast majority of claimed formats, the script only detects the file type and returns format metadata from reference files without actual data analysis. This discrepancy between claimed and actual capabilities could lead to over-activation of the skill for files it cannot meaningfully analyze. File:
SKILL.mdRemediation: Update the description to accurately reflect which formats receive full analysis versus format identification only. This improves user expectations and reduces inappropriate skill activation. -
π΅ LOW
LLM_COMMAND_INJECTIONβ Use of eval/exec in Python Code Block (Static Analyzer Flag)The static analyzer flagged a potential eval/exec usage in a Python code block. Upon review of the actual script (scripts/eda_analyzer.py), no direct use of eval() or exec() with user-controlled input was found. The script uses standard library calls (json.load, open, re.search, numpy, pandas, h5py, PIL, Bio.SeqIO). The flag may be a false positive from pattern matching on code examples in the markdown documentation. No exploitable command injection via eval/exec was confirmed in the actual executable code. File:
scripts/eda_analyzer.pyRemediation: Verify the static analyzer finding. If eval/exec appears in any code path, replace with safe alternatives. The current script appears safe in this regard. -
π΅ LOW
LLM_RESOURCE_ABUSEβ Unbounded File Loading for FASTA/FASTQ SequencesThe analyze_bioinformatics() function loads FASTA sequences entirely into memory with list(SeqIO.parse(filepath, 'fasta')) without any size limit. For very large FASTA files (e.g., whole genome assemblies, large protein databases), this could exhaust available memory. FASTQ is capped at 10,000 reads, but FASTA has no such limit. File:
scripts/eda_analyzer.py:193Remediation: Apply the same sampling limit used for FASTQ (e.g., first 10,000 sequences) to FASTA parsing. Use itertools.islice() or a counter to limit memory consumption: sequences = list(itertools.islice(SeqIO.parse(filepath, 'fasta'), 10000)) -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Full Absolute File Path Disclosed in Generated ReportsThe generate_markdown_report() function includes the full absolute file path of the analyzed file in the generated markdown report (basic['path'] = str(file_path.absolute())). This could expose sensitive directory structure information (e.g., usernames, project names, internal paths) in reports that may be shared externally. File:
scripts/eda_analyzer.py:232Remediation: Consider using only the filename or a relative path in reports, or provide an option to redact the full path. At minimum, document that reports may contain sensitive path information. -
π΅ LOW
LLM_PROMPT_INJECTIONβ User-Provided File Paths Passed to File Parsers Without SanitizationThe skill accepts arbitrary file paths from user input (sys.argv[1]) and passes them directly to file parsing libraries (numpy, pandas, h5py, PIL, Bio.SeqIO, etc.). While this is expected behavior for a data analysis tool, there is no validation to prevent path traversal (e.g., ../../etc/passwd) or access to sensitive system files. A malicious user could direct the agent to analyze sensitive files outside the intended working directory. File:
scripts/eda_analyzer.py:270Remediation: Validate that the provided file path is within an expected working directory. Use Path.resolve() and check that the resolved path starts with an allowed base directory. Reject paths containing '..' or absolute paths outside the project scope.
-
π΅ LOW
LLM_COMMAND_INJECTIONβ Python eval/exec Usage in Code Examples (Static Analyzer Flag)The static analyzer flagged a potential eval/exec usage in a Python code block within the skill's markdown files. After reviewing all code blocks in SKILL.md and references/api_reference.md, no actual eval() or exec() calls are present in the example code. The flag appears to be a false positive from the static analyzer. All Python examples use standard library calls (FlowData, create_fcs, numpy, pandas) without dynamic code execution. No actual threat is present. File:
SKILL.mdRemediation: No action required. The static analyzer flag is a false positive. Continue monitoring if new code examples are added to the skill. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Missing allowed-tools DeclarationThe SKILL.md manifest does not declare an allowed-tools field. While this field is optional per the agent skills specification, its absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) can be invoked when this skill is active. The skill instructs the agent to install packages via 'uv pip install flowio' and read internal reference files, which involves Bash and Read tool usage. Declaring allowed-tools would improve transparency and limit the skill's attack surface. File:
SKILL.mdRemediation: Add an explicit allowed-tools declaration to the YAML frontmatter, e.g., allowed-tools: [Read, Python, Bash] to document and restrict the tools this skill may use. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package Installation via uv pip installThe skill instructs installation of the 'flowio' package without a pinned version (ev., 'uv pip install flowio'). Without a pinned version, the installed package could change over time, potentially introducing malicious or breaking changes if the package is compromised or updated unexpectedly. This is a supply chain risk, though low severity given flowio is a legitimate, established scientific library. File:
SKILL.mdRemediation: Pin the package version in the installation instruction, e.g., 'uv pip install flowio==0.9.0' or equivalent, to ensure reproducible and auditable installations.
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing Compatibility MetadataThe skill manifest does not specify the 'compatibility' field, which is informational metadata describing where the skill works (e.g., Claude.ai, Claude Code, API). While this is a minor documentation gap and not a security threat, it reduces transparency about the skill's intended deployment context. File:
SKILL.mdRemediation: Add compatibility and allowed-tools fields to the YAML frontmatter to improve transparency and allow agents to enforce tool restrictions appropriately. -
π΅ LOW
LLM_COMMAND_INJECTIONβ Python eval/exec Usage in Code ExamplesThe static analyzer flagged a potential eval/exec usage in a Python code block within the skill's markdown files. After reviewing all referenced files, the code examples use standard Python constructs (numpy operations, h5py file access, matplotlib plotting) without any eval() or exec() calls. The flagged pattern may be a false positive from the static analyzer detecting dynamic method calls or string formatting in the parametric study examples. No actual eval/exec injection risk was identified in the reviewed content. File:
references/advanced_features.mdRemediation: The f-string template used to generate cluster job scripts embeds user-controlled loop variables (nu, nx) directly into script content written to files. While these variables originate from the skill's own parametric study loop (not user input), if this pattern were extended to accept user-provided values, it could enable code injection. Ensure that any values interpolated into generated scripts are validated and sanitized. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package Installation Without Version ConstraintsThe installation instructions recommend installing fluidsim and its dependencies using 'uv pip install' without specifying exact version pins. This exposes the skill to supply chain risks where a compromised or malicious package version could be installed. The instructions show 'uv pip install fluidsim', 'uv pip install "fluidsim[fft]"', and 'uv pip install "fluidsim[fft,mpi]"' without version constraints. File:
references/installation.mdRemediation: Pin package versions explicitly (e.g., 'uv pip install fluidsim==0.7.3') to prevent unintended upgrades or supply chain attacks via malicious package versions. Consider providing a requirements.txt or pyproject.toml with pinned dependencies.
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ Traversal of Parent Directories When Searching for .env FileThe check_env_file() function walks up the entire directory tree from the current working directory to the filesystem root, searching for a .env file. This could inadvertently read an .env file from a parent directory that belongs to a different project or contains credentials not intended for this skill, potentially exposing unrelated secrets. File:
scripts/generate_image.py:22Remediation: Limit the .env file search to the current directory only, or at most one parent level. Document clearly which directories are searched so users understand the scope. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Third-Party Dependency (requests)The script imports the
requestslibrary without any version pinning or integrity verification. There is no requirements.txt or setup.py with a pinned version. An attacker who can influence the Python environment could substitute a malicious version of the requests library, potentially intercepting API keys or exfiltrating data. File:scripts/generate_image.py:100Remediation: Include a requirements.txt file with a pinned version (e.g.,requests==2.32.3) and optionally a hash check. Document the expected version in the skill's README. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ API Key Passed via Command-Line ArgumentThe script accepts the OpenRouter API key via a --api-key command-line argument. On most operating systems, command-line arguments are visible in process listings (e.g.,
ps aux), which could expose the API key to other users or processes on the same system. The .env file approach is safer, but the CLI option creates an unnecessary exposure vector. File:scripts/generate_image.py:270Remediation: Remove the --api-key CLI argument or document the risk clearly. Encourage users to use the .env file or environment variable approach exclusively. If the CLI option must remain, add a warning in the help text about process visibility risks.
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools Manifest FieldThe SKILL.md YAML frontmatter does not specify the 'allowed-tools' field. While this field is optional per the agent skills spec, its absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) this skill may invoke. Given that the skill instructs the agent to run bash commands and Python code, declaring allowed tools would improve transparency and reduce the risk of unintended tool use. File:
SKILL.mdRemediation: Add an explicit 'allowed-tools' field to the YAML frontmatter listing the tools required (e.g., [Bash, Python, Read, Write]) to document intended capabilities and enable enforcement. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package Installation Without Version ConstraintsThe SKILL.md installation instructions use 'uv pip install geniml' and 'uv pip install geniml[ml]' without pinning to a specific version. This means the agent could install any version of the package, including a potentially compromised future release. Additionally, a direct GitHub install from 'git+https://github.com/databio/geniml.git' is suggested without a commit hash or tag, which could pull in unreviewed code changes. File:
SKILL.mdRemediation: Pin package versions explicitly (e.g., 'geniml==0.3.0') and reference a specific commit hash or tag for GitHub installs (e.g., 'git+https://github.com/databio/geniml.git@v0.3.0'). -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Multiple Referenced Files Not Found in Skill PackageThe SKILL.md references numerous files that are not present in the skill package: templates/consensus_peaks.md, assets/region2vec.md, templates/utilities.md, templates/region2vec.md, scanpy.py, templates/bedspace.md, assets/scembed.md, assets/utilities.md, assets/consensus_peaks.md, templates/scembed.md, assets/bedspace.md, and geniml.py. Missing files could indicate an incomplete package or that the agent may attempt to fetch these from external sources at runtime, introducing supply chain risk. File:
SKILL.mdRemediation: Ensure all referenced files are bundled within the skill package. If files are intentionally omitted, remove references to them from SKILL.md to prevent confusion or unintended external fetching.
-
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package Dependencies in Installation InstructionsThe skill instructs installation of multiple packages (geopandas, folium, mapclassify, pyarrow, psycopg2, geoalchemy2, contextily, cartopy) without version pinning. Unpinned dependencies are vulnerable to supply chain attacks where a malicious version of a package could be installed. File:
SKILL.mdRemediation: Pin all dependencies to specific versions (e.g., uv pip install geopandas==1.0.1) or provide a requirements.txt with pinned versions and hash verification to prevent supply chain compromise. -
π΅ LOW
LLM_UNAUTHORIZED_TOOL_USEβ Missing allowed-tools DeclarationThe SKILL.md manifest does not specify the allowed-tools field. While this field is optional per the agent skills specification, declaring it would help constrain the agent's tool usage and improve security posture by making explicit what tools are needed (Python execution, file read/write). File:
SKILL.mdRemediation: Add an explicit allowed-tools declaration to the YAML frontmatter, e.g., allowed-tools: [Python, Read, Write] to limit the agent to only the tools required for geospatial data analysis. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ PostGIS Connection String with Credentials in DocumentationThe data-io.md reference file includes example code showing database connection strings with placeholder credentials (user:password@host:port/database). While these are documentation examples with placeholder values, users following these examples may hardcode real credentials in their scripts. File:
references/data-io.mdRemediation: Add a note in the documentation advising users to use environment variables or secrets management tools (e.g., os.environ, .env files with python-dotenv) rather than hardcoding credentials in connection strings. -
π΅ LOW
LLM_PROMPT_INJECTIONβ Remote URL Data Loading Without Validation WarningThe data-io.md reference file documents reading spatial data directly from remote URLs (HTTP/HTTPS, S3, Azure Blob) without any guidance on validating the source or content. If a user provides a malicious URL, the agent could load and process attacker-controlled geospatial data containing crafted geometries or metadata. File:
references/data-io.mdRemediation: Add documentation guidance to validate URLs before loading, restrict to trusted sources, and warn users about loading geospatial data from untrusted remote sources. Consider adding URL allowlist validation in any wrapper scripts. -
π΅ LOW
LLM_COMMAND_INJECTIONβ eval/exec Usage in Code ExamplesStatic analysis flagged eval/exec usage in Python code blocks within the skill's markdown documentation. After reviewing the referenced files, the flagged patterns appear to be within legitimate GeoPandas documentation examples (e.g., affine_transform, standard data manipulation). No actual malicious eval/exec with user-controlled input was identified in the code examples. This is a low-severity informational finding as the code blocks are documentation examples, not executed scripts. File:
references/geometric-operations.mdRemediation: Review the specific code blocks flagged by static analysis to confirm no eval/exec with user-controlled input is present. The affine_transform call is a legitimate GeoPandas/Shapely API call, not a code injection risk.
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools Manifest DeclarationThe YAML manifest does not declare an
allowed-toolsfield. The skill executes Python scripts and Bash commands (via subprocess), writes files to disk, and reads system information. Whileallowed-toolsis optional per the spec, its absence means there are no declared constraints on what tools the agent may use when invoking this skill, reducing transparency about the skill's operational scope. File:SKILL.mdRemediation: Add an explicitallowed-toolsdeclaration to the YAML frontmatter, such asallowed-tools: [Python, Bash], to clearly document the intended tool usage scope and enable enforcement of restrictions. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ System Information Disclosure via JSON Output FileThe skill collects and writes detailed system information (CPU architecture, processor model, memory details, disk usage, GPU information including driver versions and compute capabilities) to a
.claude_resources.jsonfile in the current working directory. While this is the stated purpose of the skill, the breadth of system fingerprinting data collected could be sensitive if the working directory is shared or accessible to other processes. The data includes OS version, Python version, CPU brand string, GPU driver versions, and compute capabilities β a comprehensive system profile. File:scripts/detect_resources.pyRemediation: Consider documenting clearly that the output file contains sensitive system fingerprinting data. Recommend users add.claude_resources.jsonto.gitignoreto prevent accidental commit of system details. The skill could also offer a privacy mode that omits detailed hardware identifiers. -
π΅ LOW
LLM_COMMAND_INJECTIONβ Subprocess Execution of External System UtilitiesThe script invokes external system utilities (nvidia-smi, rocm-smi, sysctl, system_profiler) via subprocess.run(). While these are standard system tools and the commands are hardcoded (not user-controlled), the pattern of running external binaries introduces a dependency on PATH resolution. A malicious actor who can manipulate the PATH environment variable could potentially substitute a malicious binary named
nvidia-smi,rocm-smi,sysctl, orsystem_profiler. The risk is low given the controlled context, but worth noting. File:scripts/detect_resources.py:96Remediation: Use absolute paths for system utilities where possible (e.g.,/usr/bin/nvidia-smi,/usr/bin/sysctl) rather than relying on PATH resolution. Alternatively, validate the resolved binary path before execution. -
π΅ LOW
LLM_RESOURCE_ABUSEβ Unbounded subprocess Timeout Risk on rocm-smiThe rocm-smi invocation uses a 5-second timeout, which is reasonable. However, the
system_profiler SPDisplaysDataTypecall on macOS uses a 10-second timeout and can be slow on systems with many displays or complex GPU configurations. In automated/agentic workflows where this skill is called repeatedly (as encouraged by the 'Re-run periodically' best practice), cumulative delays from slow system_profiler calls could impact workflow performance. This is a minor availability concern. File:scripts/detect_resources.py:163Remediation: Consider reducing the system_profiler timeout or making it configurable. Cache results when the skill is called multiple times within a short window to avoid repeated slow system calls.
-
π΅ LOW
LLM_COMMAND_INJECTIONβ eval/exec Usage Flagged in Static Analysis (Unverified in Provided Code)The static pre-scan flagged two instances of Python eval/exec usage (MDBLOCK_PYTHON_EVAL_EXEC) in the skill package. However, reviewing all provided script files (batch_sequence_analysis.py, gene_analysis.py, enrichment_pipeline.py) and the SKILL.md instruction body, no direct use of eval() or exec() is visible in the provided content. The flags may originate from code blocks within unreferenced markdown files (e.g., module_reference.md, database_info.md, workflows.md referenced in SKILL.md) or the missing gget.py file. Without access to those files, the risk cannot be fully assessed. If eval/exec is used with user-supplied input (e.g., sequence strings, gene names, file paths), this could constitute a command/code injection vector. File:
SKILL.mdRemediation: Audit all referenced markdown files and gget.py for eval/exec usage. Ensure no user-supplied input (gene names, sequences, file paths) is passed to eval() or exec(). Replace with safe alternatives where possible. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ COSMIC Credentials Passed via Command-Line ArgumentsThe SKILL.md instructions demonstrate passing COSMIC database credentials (email and password) directly as command-line arguments: 'gget cosmic -d --email user@example.com --password xxx'. Command-line arguments are typically visible in process listings (e.g., ps aux), shell history, and system logs, which could expose credentials to other users or processes on the same system. File:
SKILL.mdRemediation: Advise users to use environment variables or a credentials file instead of passing secrets as command-line arguments. Document this risk in the skill instructions. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ OpenAI API Key Exposed in Command-Line and Code ExamplesThe gget gpt module documentation shows the API key passed directly as a command-line argument and inline in Python code: 'gget gpt "Explain CRISPR" --api_key your_key_here' and 'gget.gpt("Explain CRISPR", api_key="your_key_here")'. This pattern encourages users to embed API keys in shell history, scripts, and notebooks where they may be inadvertently exposed. File:
SKILL.mdRemediation: Recommend using environment variables (e.g., OPENAI_API_KEY) rather than inline API keys. Update examples to demonstrate the secure pattern. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools and compatibility MetadataThe skill manifest does not specify 'allowed-tools' or 'compatibility' fields. While these are optional per the spec, their absence means there are no declared restrictions on which agent tools (Bash, Python, Read, Write, etc.) this skill may invoke. Given that the skill executes network requests to 20+ external databases, downloads large files (~4GB for AlphaFold), and writes output files, explicit tool declarations would improve transparency and allow agents to enforce appropriate restrictions. File:
SKILL.mdRemediation: Add 'allowed-tools: [Python, Bash, Read, Write]' and a compatibility note to the YAML frontmatter to make the skill's capabilities explicit and auditable. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package Installation InstructionsThe SKILL.md installation section instructs users to install gget without version pinning ('uv pip install --upgrade gget'), and the setup commands for optional modules (alphafold, cellxgene, elm, gpt) also install dependencies without version constraints. Unpinned installations are susceptible to supply chain attacks where a compromised or malicious package version could be installed automatically. File:
SKILL.mdRemediation: Pin gget and its dependencies to specific known-good versions (e.g., 'uv pip install gget==0.28.6'). Document tested version combinations for optional dependencies like openmm.
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ Missing License and Compatibility MetadataThe SKILL.md manifest does not specify a license or compatibility field. While these are optional fields, their absence reduces transparency about the skill's intended usage scope and legal terms. File:
SKILL.mdRemediation: Add a license field (e.g., 'license: MIT') and a compatibility field describing supported platforms to improve transparency and provenance. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Missing allowed-tools DeclarationThe SKILL.md manifest does not declare an allowed-tools field. While this field is optional, its absence means there are no declared restrictions on which agent tools this skill may invoke, reducing the ability to audit or constrain the skill's behavior. File:
SKILL.mdRemediation: Add an explicit allowed-tools field listing only the tools required for this skill's functionality (e.g., allowed-tools: [Read]) to enforce least-privilege access. -
π΅ LOW
LLM_HARMFUL_CONTENTβ Several Referenced Template and Asset Files Are MissingMultiple files referenced in the SKILL.md instructions are not present in the skill package: assets/cell-free-protein-expression-validation.md, assets/fluorescent-pixel-art-generation.md, assets/cell-free-protein-expression-optimization.md, templates/cell-free-protein-expression-optimization.md, templates/cell-free-protein-expression-validation.md, and templates/fluorescent-pixel-art-generation.md. This could lead to incomplete or misleading guidance if the agent attempts to reference these files. File:
SKILL.mdRemediation: Ensure all referenced files are included in the skill package, or remove references to files that do not exist. Validate the skill package is complete before distribution.
-
π΅ LOW
LLM_COMMAND_INJECTIONβ Python Code Blocks Flagged for eval/exec Usage (False Positive Context)The static pre-scan flagged two Python code blocks for eval/exec usage. Upon manual review of the instruction body, no actual eval() or exec() calls are present in the visible code. The flagged blocks appear to be standard Python using re, requests, list comprehensions, and string operations. This may be a false positive from the static analyzer, but is noted for completeness. If additional hidden code blocks exist in the 16 markdown files not shown, they should be reviewed. File:
SKILL.mdRemediation: Review all 16 markdown files in the skill package to confirm no eval/exec calls exist. If found, replace with safer alternatives such as ast.literal_eval for data parsing. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Unauthenticated External API Call to GlyConnectThe skill includes a Python function query_glyconnect() that makes an unauthenticated HTTP GET request to the GlyConnect ExPASy API (https://glyconnect.expasy.org/api/proteins/uniprot/{uniprot_id}). While this is a legitimate public bioinformatics database and the call is read-only, the UniProt ID is passed directly from user input into the URL without sanitization, creating a potential path traversal or URL injection risk if the input is not validated. File:
SKILL.mdRemediation: Validate the uniprot_id parameter against a strict regex pattern (e.g., ^[A-Z0-9]{6,10}$) before interpolating into the URL. Add timeout and error handling to the requests.get call. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Missing License and Compatibility MetadataThe skill manifest does not specify a license (listed as 'Unknown') or compatibility information. While this is a LOW severity informational finding per the analysis framework, missing provenance metadata reduces auditability and makes it harder to assess the skill's trustworthiness and intended deployment scope. File:
SKILL.mdRemediation: Add a valid SPDX license identifier (e.g., MIT, Apache-2.0), specify compatibility (e.g., Claude.ai, Claude Code), and optionally declare allowed-tools to constrain the skill's tool access surface.
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Overly Broad Skill Description Triggering Wide ActivationThe skill description is very broad, claiming to handle genomic regions, BED files, coverage tracks, overlap detection, tokenization for ML models, and fragment analysis. While this may reflect legitimate capabilities, such broad descriptions can cause the skill to be activated for a wide range of genomic queries, potentially displacing more specific or appropriate tools. File:
SKILL.mdRemediation: Narrow the description to the most specific use cases to avoid over-broad activation. Consider listing primary use cases rather than exhaustive ones. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package Installation Without Version ConstraintsThe skill instructs installation of the 'gtars' package via pip/uv without specifying a pinned version. This means any future malicious or compromised version of the package could be installed automatically. The cargo install command also lacks version pinning for gtars-cli. File:
SKILL.mdRemediation: Pin package versions explicitly, e.g., 'pip install gtars==0.1.x' and 'cargo install gtars-cli --version 0.1.x'. This ensures reproducible and auditable installations. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Missing License and Compatibility MetadataThe skill manifest does not specify a license or compatibility field. This reduces transparency and makes it harder to audit the skill's provenance and intended deployment context. The skill-author field references 'K-Dense Inc.' but no license is declared. File:
SKILL.mdRemediation: Add explicit license (e.g., 'license: MIT') and compatibility fields to the YAML frontmatter to improve transparency and auditability. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Multiple Referenced Files Not Found in Skill PackageThe skill references numerous files (assets/tokenizers.md, templates/overlap.md, assets/coverage.md, gtars.py, assets/overlap.md, assets/cli.md, templates/coverage.md, templates/refget.md, assets/refget.md, assets/python-api.md, templates/python-api.md, templates/tokenizers.md, templates/cli.md) that are not present in the skill package. Missing referenced files could indicate an incomplete package or that the skill relies on external or dynamically fetched content. File:
SKILL.mdRemediation: Ensure all referenced files are bundled within the skill package. If files are intentionally omitted, remove references to them from the instructions to avoid confusion or potential future exploitation. -
π΅ LOW
LLM_UNAUTHORIZED_TOOL_USEβ Missing allowed-tools DeclarationThe skill does not declare an 'allowed-tools' field in the YAML manifest. While this field is optional, its absence means there are no declared restrictions on which agent tools (Bash, Python, Read, Write, etc.) can be used. The skill instructs execution of bash commands and Python code, so declaring allowed tools would improve security posture. File:
SKILL.mdRemediation: Add 'allowed-tools: [Bash, Python, Read, Write]' or the minimal set required to the YAML frontmatter to explicitly declare and limit tool usage.
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ Missing allowed-tools DeclarationThe skill does not declare an allowed-tools field in the YAML manifest. The skill executes Python scripts (gap_analyzer.py) and reads files from the filesystem. Without an explicit allowed-tools declaration, there is no manifest-level constraint on what tools the agent may use, reducing transparency and auditability. File:
SKILL.mdRemediation: Add an explicit allowed-tools field to the YAML manifest listing the tools actually needed, e.g., allowed-tools: [Python, Read, Bash]. This improves transparency and allows enforcement of least-privilege tool access. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Over-Broad Skill Activation DescriptionThe skill description includes an extensive list of trigger keywords and use cases that could cause the skill to activate in a wide range of scenarios beyond its core purpose. The description explicitly lists multiple activation triggers including 'medical device regulations, QMS certification, FDA QMSR, EU MDR, or need help with quality system documentation.' While this is a legitimate documentation tool, the breadth of activation triggers is notable. File:
SKILL.mdRemediation: Narrow the activation description to the core use case. Avoid listing broad keyword triggers that could cause unintended activation in tangential conversations.
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools MetadataThe skill does not specify the 'allowed-tools' field in its YAML manifest. While this field is optional per the agent skills spec, its absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) can be invoked. Given the skill's scope includes executing Python code examples and accessing cloud storage, documenting allowed tools would improve transparency. File:
SKILL.mdRemediation: Add an 'allowed-tools' field to the YAML frontmatter specifying the tools this skill requires, e.g., 'allowed-tools: [Read, Python]'. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing Compatibility MetadataThe skill does not specify the 'compatibility' field in its YAML manifest. This is a minor documentation gap that reduces transparency about where the skill is intended to operate. File:
SKILL.mdRemediation: Add a 'compatibility' field to the YAML frontmatter specifying supported environments. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Credential Handling in Setup Documentation References Environment Variables for Cloud CredentialsThe referenced setup-deployment.md file documents patterns for setting AWS and GCP credentials via environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, GOOGLE_APPLICATION_CREDENTIALS). While this is standard practice and the documentation appropriately recommends using IAM roles over hardcoded keys, the skill instructs users to export credentials in shell commands. If an agent follows these instructions in an automated context, it could inadvertently expose credentials in shell history or logs. File:
references/setup-deployment.mdRemediation: The documentation already recommends IAM roles as best practice. Consider adding explicit warnings against using environment variable exports in automated/agent contexts and emphasizing IAM role-based authentication as the preferred approach. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package Installation InstructionsThe setup documentation and SKILL.md instructions recommend installing packages without version pins (e.g., 'pip install lamindb', 'pip install lamindb[gcp,zarr,fcs]'). Unpinned installations are susceptible to supply chain attacks where a malicious version of a package could be published and automatically installed. File:
references/setup-deployment.mdRemediation: Pin package versions in installation instructions (e.g., 'pip install lamindb==0.x.y') or use a lockfile approach. The SKILL.md already mentions 'uv pip install' which is better, but version pinning should still be recommended.
- π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools and compatibility metadataThe SKILL.md manifest does not specify 'allowed-tools' or 'compatibility' fields. While these are optional per the agent skills spec, their absence means there are no declared restrictions on which agent tools this skill may invoke, reducing transparency about the skill's intended scope. File:
SKILL.mdRemediation: Add explicit 'allowed-tools' and 'compatibility' fields to the YAML frontmatter to clearly document the skill's intended tool usage and environment compatibility.
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ Missing Compatibility MetadataThe skill does not declare a 'compatibility' field. The scripts make use of file I/O (writing .mplstyle files and PNG previews to disk), which may have implications depending on the execution environment. Declaring compatibility would help users understand where the skill is safe to run. File:
SKILL.mdRemediation: Add a 'compatibility' field to the YAML frontmatter specifying supported environments (e.g., 'Works locally with Python environment'). -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools MetadataThe skill does not declare an 'allowed-tools' field in its YAML manifest. While this field is optional per the agent skills spec, its absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) can be invoked. The scripts use Python execution and file write operations (saving .mplstyle files, saving PNG previews). Declaring allowed-tools would improve transparency. File:
SKILL.mdRemediation: Add 'allowed-tools: [Python, Bash]' to the YAML frontmatter to explicitly declare the tools this skill uses.
- π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools and compatibility metadataThe SKILL.md manifest does not specify 'allowed-tools' or 'compatibility' fields. While these are optional per the agent skills spec, their absence means there are no declared restrictions on what tools the agent may use when executing this skill. The skill executes Python code, reads files, and writes output files, so documenting these capabilities would improve transparency. File:
SKILL.mdRemediation: Add 'allowed-tools: [Python, Bash]' and a 'compatibility' field to the YAML frontmatter to document the skill's tool requirements and environment compatibility.
-
π΅ LOW
LLM_COMMAND_INJECTIONβ Static Analyzer Flag: eval/exec in Python Code BlockThe static analyzer flagged a potential eval/exec usage in a Python code block within SKILL.md. Upon manual review of all code blocks in the instruction body, no actual use of eval(), exec(), or os.system() with user-controlled input was found. The flag may be a false positive triggered by string patterns in comments or documentation. All code blocks use standard OpenMM, MDAnalysis, and scientific Python APIs without dynamic code execution constructs. No exploitable command injection risk was identified. File:
SKILL.mdRemediation: No immediate action required. Verify the specific line flagged by the static analyzer to confirm it is a false positive. If any eval/exec is present, replace with safe alternatives. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools and Compatibility MetadataThe SKILL.md manifest does not specify the allowed-tools or compatibility fields. While these fields are optional per the agent skills specification, their absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) this skill may invoke. Given that the skill instructs the agent to run GPU-accelerated MD simulations and write output files (PDB, DCD, log files), declaring allowed-tools would improve transparency and reduce the risk of unintended tool use. File:
SKILL.mdRemediation: Add allowed-tools (e.g., [Python, Bash, Read, Write]) and compatibility fields to the YAML frontmatter to clearly declare the skill's intended tool usage scope. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package Dependencies in Installation InstructionsThe installation instructions recommend installing openmm, mdanalysis, nglview, openff-toolkit, and related packages without version pins. Unpinned dependencies are susceptible to supply chain attacks where a malicious package version could be published and automatically installed. This is a low-severity informational finding given the packages are well-known scientific libraries, but version pinning is a security best practice. File:
SKILL.mdRemediation: Pin dependency versions in installation instructions (e.g., pip install openmm==8.1.1 mdanalysis==2.7.0). Consider providing a requirements.txt or conda environment.yml with pinned versions for reproducibility and supply chain safety.
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools and compatibility MetadataThe SKILL.md manifest does not specify 'allowed-tools' or 'compatibility' fields. While these are optional per the agent skills spec, their absence means there are no declared restrictions on which agent tools this skill may invoke. Given the skill installs packages and executes Python code, declaring tool restrictions would improve security posture. File:
SKILL.mdRemediation: Add 'allowed-tools' to the YAML frontmatter to explicitly declare which tools are needed (e.g., Bash for pip install, Python for featurization). This helps enforce least-privilege and makes the skill's capabilities transparent. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package Installation in InstructionsThe SKILL.md instructions recommend installing molfeat and its optional dependencies without pinned version numbers (e.g., 'uv pip install molfeat', 'uv pip install "molfeat[all]"'). Unpinned dependencies are susceptible to supply chain attacks where a malicious version could be published to PyPI and automatically installed. File:
SKILL.mdRemediation: Pin package versions in installation instructions (e.g., 'uv pip install molfeat==0.x.y'). Consider using a requirements.txt or pyproject.toml with locked versions and hash verification for production deployments. -
π΅ LOW
LLM_COMMAND_INJECTIONβ Use of eval/exec in Python Code BlocksThe static analyzer flagged a Python code block using eval/exec. Reviewing the skill content, the references/examples.md file contains code patterns that could involve dynamic code execution. However, in context, the code blocks appear to be legitimate ML workflow examples (e.g., model training, featurization pipelines). No direct eval/exec with user-controlled input was identified in the reviewed content, but the flagged pattern warrants noting. File:
references/examples.mdRemediation: Review the specific code block flagged by the static analyzer to confirm no eval/exec is used with unsanitized user input. If eval/exec is present, replace with safer alternatives such as explicit function calls or whitelisted dispatch tables.
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ Missing Referenced Script FilesThe skill references several files that are not present in the package: assets/io.md, templates/visualization.md, assets/visualization.md, templates/generators.md, matplotlib.py, templates/graph-basics.md, assets/algorithms.md, templates/algorithms.md, templates/io.md, networkx.py, assets/graph-basics.md, assets/generators.md. Notably, networkx.py and matplotlib.py are referenced but absent. If these files were expected to be present and contain executable code, their absence could indicate an incomplete or tampered package. The missing Python files (networkx.py, matplotlib.py) are of particular concern as they could have contained malicious code that was removed before submission, or the skill may attempt to load them at runtime. File:
SKILL.mdRemediation: Ensure all referenced files are included in the skill package. Audit the skill to confirm that networkx.py and matplotlib.py are not expected to be loaded or executed at runtime. If these are placeholder references, remove them from the documentation to avoid confusion. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Over-Broad Skill Description and Activation ScopeThe skill description is very broad, claiming applicability to 'social networks, biological networks, transportation systems, citation networks, knowledge graphs, or any system involving relationships between entities.' While this accurately reflects NetworkX's capabilities, the extremely broad activation criteria ('any domain involving pairwise relationships') could cause the skill to be invoked in a very wide range of contexts, potentially displacing more specialized skills. File:
SKILL.mdRemediation: Consider narrowing the activation criteria to be more specific about when this skill should be invoked versus general Python data analysis tasks. This is a minor concern as the description does accurately reflect the library's scope. -
π΅ LOW
LLM_COMMAND_INJECTIONβ Python eval/exec Usage in Code ExamplesThe static analyzer flagged a Python code block using eval/exec within the skill's reference documentation. Reviewing the referenced files, the references/io.md file contains a pickle deserialization pattern (pickle.load) which can execute arbitrary code when loading untrusted pickle files. While this is presented as educational documentation rather than an executable script, the skill instructs the agent to follow these patterns, and pickle deserialization of untrusted data is a well-known arbitrary code execution vector. File:
references/io.mdRemediation: Add a clear warning in the documentation that pickle files should only be loaded from trusted sources, as pickle.load() can execute arbitrary code. Consider recommending safer serialization formats (GraphML, JSON) as the default, with pickle noted as a Python-only option with explicit security caveats.
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ Multiple Referenced Asset and Template Files Not FoundA large number of files referenced in the SKILL.md instructions (assets/emg.md, templates/eeg.md, assets/ecg_cardiac.md, assets/eog.md, templates/emg.md, templates/eog.md, templates/complexity.md, assets/complexity.md, templates/bio_module.md, templates/hrv.md, templates/eda.md, assets/eeg.md, assets/eda.md, templates/signal_processing.md, assets/rsp.md, templates/ecg_cardiac.md, assets/signal_processing.md, assets/bio_module.md, templates/epochs_events.md, assets/epochs_events.md, assets/hrv.md, templates/rsp.md) are not present in the skill package. While this is primarily a packaging/completeness issue, if the agent attempts to resolve these missing files by fetching them from external sources or user-provided paths, it could expose the agent to indirect prompt injection or data exposure risks. File:
SKILL.mdRemediation: Include all referenced files in the skill package, or remove references to files that do not exist. Ensure the agent does not attempt to resolve missing internal references by fetching content from external URLs or user-supplied paths. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Overly Broad Skill Description Inflating Activation ScopeThe skill description is extremely broad, listing a large number of physiological signal types, analysis domains, and application areas. While this may reflect the genuine scope of the NeuroKit2 library, the description is crafted to maximize keyword coverage (ECG, EEG, EDA, RSP, PPG, EMG, EOG, HRV, ERP, complexity, autonomic, psychophysiology, etc.), which could cause the agent to activate this skill for a very wide range of queries beyond what is strictly necessary. This is a mild capability inflation concern. File:
SKILL.mdRemediation: Consider scoping the description more precisely to the core use cases rather than enumerating every possible signal type and application domain. This reduces unnecessary skill activation for tangential queries. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package Installation in SKILL.mdThe SKILL.md instructions recommend installing neurokit2 using 'uv pip install neurokit2' without specifying a version pin. This means the agent will always install the latest available version, which could introduce breaking changes or, in a supply chain attack scenario, a compromised version of the package. Additionally, a development version install directly from GitHub is suggested without any commit hash or tag pinning. File:
SKILL.mdRemediation: Pin the package to a specific known-good version: 'uv pip install neurokit2==0.2.9' (or current stable). For the GitHub install, reference a specific commit hash or release tag rather than the 'dev' branch tip. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Missing Script File Referenced in Instructions (neurokit2.py)The SKILL.md instructions reference a file 'neurokit2.py' which was not found in the skill package. This missing file could indicate an incomplete package, or it could be a placeholder that the agent is expected to create or locate. If the agent attempts to execute or load this file from an external or user-controlled source, it could introduce supply chain or code injection risks. Currently the file is simply absent, which is a low-severity packaging concern. File:
SKILL.mdRemediation: Either include the neurokit2.py file in the skill package with its intended content, or remove the reference from the instructions if it is not needed. Do not allow the agent to fetch this file from external sources.
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Over-Broad Keyword Activation in DescriptionThe skill description contains an extensive list of trigger keywords ('Neuropixels, SpikeGLX, Open Ephys, Kilosort, quality metrics, or unit curation') designed to maximize activation frequency. While these are legitimate domain terms, the explicit instruction to 'Use when working with neural recordings, spike sorting, extracellular electrophysiology, or when the user mentions [keywords]' is a broad activation directive that could cause the skill to activate in many tangential contexts. File:
SKILL.mdRemediation: Narrow the activation criteria to specific, well-defined use cases rather than broad keyword matching. This is a minor concern for a legitimate domain-specific skill. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package Dependencies in Installation InstructionsThe SKILL.md installation section installs multiple packages without version pins (e.g., 'pip install spikeinterface[full]', 'pip install kilosort', 'pip install anthropic'). Unpinned dependencies are vulnerable to supply chain attacks where a malicious package version could be installed. This is particularly concerning for the 'neuropixels-analysis' package itself, which is an unknown third-party package. File:
SKILL.mdRemediation: Pin all dependencies to specific verified versions (e.g., 'pip install spikeinterface==0.101.0'). Verify the 'neuropixels-analysis' package provenance before installation. Consider using a requirements.txt with hashed dependencies. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unknown Third-Party Package 'neuropixels-analysis'The skill imports and relies on 'neuropixels-analysis' (imported as 'npa'), which is an unverified third-party package. The skill author is 'K-Dense Inc.' but the package's provenance, maintainership, and security posture are unknown. All scripts and instructions delegate significant functionality to this package (npa.run_pipeline, npa.preprocess, npa.analyze_unit_visually, etc.) without any verification of its integrity. File:
SKILL.mdRemediation: Verify the 'neuropixels-analysis' package is from a trusted source with a known maintainer. Review its source code before use. Consider pinning to a specific version and verifying checksums. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ API Key Handling in AI Curation ReferenceThe references/AI_CURATION.md file shows example code with hardcoded API key placeholders ('api_key="your-api-key"') for both Anthropic and OpenAI clients. While these are placeholder examples, the pattern encourages users to hardcode API keys directly in scripts rather than using environment variables or secure credential management. File:
references/AI_CURATION.mdRemediation: Update examples to use environment variables (e.g., 'Anthropic()' without explicit api_key, relying on ANTHROPIC_API_KEY env var, or 'api_key=os.environ["ANTHROPIC_API_KEY"]'). Add a note warning against hardcoding credentials. -
π΅ LOW
LLM_RESOURCE_ABUSEβ Unbounded Parallel Job Configuration (n_jobs=-1)Multiple scripts and templates use 'n_jobs=-1' as the default, which instructs the system to use all available CPU cores. While this is a common pattern in scientific computing, it can cause resource exhaustion on shared systems or in constrained environments. The neuropixels_pipeline.py also hardcodes 'n_jobs=8' in several places without checking available resources. File:
scripts/neuropixels_pipeline.pyRemediation: Add resource checks before setting n_jobs. Consider defaulting to a more conservative value (e.g., n_jobs=4) or dynamically determining based on available system resources. Document the resource implications clearly.
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing License and Compatibility MetadataThe skill manifest declares 'license: Unknown' and does not specify compatibility information. This missing provenance information makes it difficult to assess the trustworthiness and intended deployment scope of the skill. The skill-author is listed as 'K-Dense Inc.' but without a license, users cannot determine usage rights or liability. File:
SKILL.mdRemediation: Specify a valid open-source license (e.g., MIT, Apache 2.0) and document compatibility requirements (Python version, OMERO server version, supported platforms). This improves transparency and trust. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package InstallationThe skill's installation instructions use 'uv pip install omero-py' without specifying a version pin. This means the agent may install any version of omero-py, including potentially compromised future versions. Additionally, omero-py has a complex dependency chain including Zeroc Ice 3.6+, and unpinned dependencies could introduce supply chain risks. File:
SKILL.mdRemediation: Pin the omero-py package to a specific known-good version (e.g., 'uv pip install omero-py==5.19.1'). Document the tested version and provide a requirements.txt or pyproject.toml with pinned dependencies for reproducible installations. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Admin Credential Exposure Risk in Advanced OperationsThe references/advanced.md and references/connection.md files document administrator-level operations including substitute user connections (suConn), cross-group queries with group ID -1, and listing all users/groups. If the agent assists a user in writing scripts using these patterns, it could inadvertently help expose sensitive administrative credentials or enable unauthorized cross-group data access. The admin password is shown in example code patterns. File:
references/advanced.mdRemediation: Add explicit warnings in the skill instructions that admin operations should only be performed by authorized administrators, and that admin credentials must never be hardcoded. Include guidance on proper credential management for administrative scripts. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Credential Handling in Code ExamplesMultiple reference files (references/connection.md, references/data_access.md, references/image_processing.md, references/advanced.md, references/metadata.md, references/tables.md, references/rois.md) contain hardcoded placeholder credentials in example code (USERNAME = 'user', PASSWORD = 'pass', HOST = 'omero.example.com'). While these are clearly placeholders in documentation examples, the skill also explicitly shows a pattern of loading credentials from YAML config files and environment variables. If the agent generates code following the hardcoded pattern rather than the environment variable pattern, real credentials could end up hardcoded in generated scripts. File:
references/connection.mdRemediation: Emphasize in the skill instructions that credentials must always be sourced from environment variables or secure configuration files, never hardcoded. The skill should instruct the agent to always use the environment variable pattern (os.environ.get) when generating connection code for users. -
π΅ LOW
LLM_COMMAND_INJECTIONβ Python eval/exec Usage in Code ExamplesThe static analyzer flagged a potential eval/exec usage in the Python code blocks within the reference files. Reviewing the actual content, the code blocks in references/scripts.md, references/data_access.md, references/rois.md, references/image_processing.md, references/advanced.md, references/connection.md, references/metadata.md, and references/tables.md do not contain direct eval() or exec() calls. However, the skill instructs the agent to generate and execute OMERO Python scripts, which could include dynamic code execution patterns. The skill's batch processing and server-side script creation capabilities (references/scripts.md) involve running arbitrary Python code on OMERO servers, which carries inherent code injection risk if user-supplied parameters are not properly sanitized. File:
references/scripts.mdRemediation: Ensure that any user-supplied parameters (image IDs, dataset IDs, thresholds) are validated and sanitized before being used in OMERO API calls or script generation. Avoid constructing dynamic queries or code strings from user input.
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ Missing License and Compatibility MetadataThe skill manifest does not specify a license or compatibility field. While not a direct security threat, missing provenance metadata reduces auditability and trustworthiness of the skill package. The skill-author is listed as 'K-Dense Inc.' but no license is declared. File:
SKILL.mdRemediation: Add explicit license (e.g., MIT, Apache-2.0) and compatibility fields to the YAML frontmatter to improve transparency and auditability. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Referenced Files Not Found (opentrons.py, templates/api_reference.md, assets/api_reference.md)The SKILL.md instructions reference 'references/api_reference.md' (found), but also reference 'opentrons.py', 'templates/api_reference.md', and 'assets/api_reference.md' which were not found in the skill package. Missing referenced files could indicate an incomplete package or could cause the agent to attempt to locate these files from unexpected locations. File:
SKILL.mdRemediation: Remove references to non-existent files from SKILL.md, or include the missing files in the skill package. Ensure all referenced resources are bundled within the skill directory. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Missing allowed-tools DeclarationThe skill does not declare an allowed-tools field in its YAML manifest. While this field is optional per the agent skills spec, its absence means there are no declared restrictions on which agent tools this skill can invoke. The skill instructs the agent to write and execute Python protocols, which could involve file writes and code execution. File:
SKILL.mdRemediation: Add an explicit allowed-tools declaration (e.g., [Python, Read, Write]) to document and constrain the intended tool usage scope. -
π΅ LOW
LLM_COMMAND_INJECTIONβ Static Analyzer Flag: eval/exec in Python Code BlocksThe static pre-scan flagged a MDBLOCK_PYTHON_EVAL_EXEC finding, indicating a Python code block in the skill uses eval or exec. After reviewing all provided script files and the SKILL.md instruction body, no direct use of eval() or exec() with user-controlled input was found in the actual script files. The flag may refer to documentation examples or the api_reference.md content. No exploitable command injection pattern was identified in the provided code. File:
references/api_reference.mdRemediation: Verify that no eval/exec calls exist in any bundled scripts. If the static analyzer flagged a specific line, review that file carefully. Ensure user-supplied input is never passed to eval/exec in any protocol template.
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ Missing License and Compatibility MetadataThe skill manifest does not specify a license or compatibility field. While this is a LOW severity informational finding per the spec (allowed-tools is also unspecified), the absence of provenance metadata (no license, no compatibility declaration) reduces transparency about the skill's intended operating environment and legal terms. The author field is present ('K-Dense, Inc.') but incomplete metadata makes supply chain verification harder. File:
SKILL.mdRemediation: Add license, compatibility, and allowed-tools fields to the YAML frontmatter to improve transparency and allow agents to enforce tool restrictions. -
π΅ LOW
LLM_PROMPT_INJECTIONβ Large Number of Missing Referenced Files Creates Unverifiable Trust SurfaceThe skill references a very large number of files (50+) that do not exist in the package, including templates/, assets/, and various .py files (scipy.py, sklearn.py, geopandas.py, matplotlib.py, etc.). While the core references/ directory files are present and appear legitimate, the missing files represent an unverifiable trust surface. If these files were later added with malicious content, the skill's instructions direct the agent to read and follow them before writing code. The instruction 'Read the specific reference before writing code' means any content placed in these files would be treated as authoritative guidance. File:
SKILL.mdRemediation: Remove references to non-existent files from the skill instructions. Only reference files that are bundled with the skill package. Audit all referenced file paths before deployment. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Over-Broad Activation Triggers in Skill DescriptionThe skill description is extremely broad, claiming to activate not only when users explicitly request GPU acceleration but also 'when you see CPU-bound Python code (loops, large arrays, ML pipelines, graph analytics, image processing) that would benefit from GPU acceleration, even if not explicitly requested.' This over-broad activation trigger means the skill will attempt to inject itself into a wide range of general Python coding conversations without user intent, inflating its perceived relevance and activation frequency beyond what is appropriate. File:
SKILL.mdRemediation: Restrict activation triggers to explicit user requests for GPU acceleration. Remove the clause that activates the skill without explicit user request. Activation should require clear user intent. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Use of Extra Index URL from Third-Party NVIDIA PyPI RegistryAll RAPIDS package installations use '--extra-index-url=https://pypi.nvidia.com', which is a third-party package index. While this is the official NVIDIA RAPIDS distribution channel, the skill does not pin package versions (e.g., 'cudf-cu12' with no version pin). Unpinned packages from a third-party index introduce supply chain risk: a compromised or updated package at that index could introduce malicious code. This is a low-severity concern given the source is NVIDIA's official index, but the lack of version pinning is a supply chain hygiene issue. File:
SKILL.mdRemediation: Pin package versions explicitly (e.g., 'cudf-cu12==26.02.00') to prevent unexpected updates. Document the expected version in the skill manifest or a requirements file.
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ API Keys Loaded from Environment and .env Without Sanitization GuidanceThe skill instructs the agent to load API keys from environment variables (e.g., $NCBI_API_KEY, $CORE_API_KEY, $S2_API_KEY, $OPENALEX_API_KEY) and fall back to a .env file in the current working directory. While this is a common pattern, the instructions do not specify any validation or sanitization of these values before use. If a malicious .env file is present in the working directory, the agent could inadvertently use attacker-controlled API keys or credentials. Additionally, the skill instructs the agent to include email addresses in API requests (for Crossref polite pool and Unpaywall), which could expose user PII to third-party services. File:
SKILL.mdRemediation: Add guidance to validate that loaded keys match expected formats before use. Warn users that .env files in the working directory will be read. Clarify the privacy implications of sending email addresses to third-party APIs and obtain user consent before doing so. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Missing License and Compatibility MetadataThe skill does not specify a license or compatibility field in the YAML manifest. While these are optional fields, their absence reduces transparency about the skill's provenance, intended deployment environments, and usage rights. The skill-author is listed as 'K-Dense Inc.' but without a license, users cannot determine the terms under which the skill may be used or redistributed. File:
SKILL.mdRemediation: Add a license field (e.g., MIT, Apache-2.0) and a compatibility field listing supported platforms. This improves transparency and helps users understand the skill's intended deployment context. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Over-Broad Capability Claims and Keyword Baiting in DescriptionThe skill description contains an extensive list of trigger keywords and use cases ('Triggers on mentions of any supported database or requests like "find papers on X" or "look up this DOI"'). While the skill does appear to legitimately cover these databases, the explicit enumeration of trigger phrases in the description is a pattern associated with capability inflation and activation abuse β designed to maximize how often the skill is invoked. The description is unusually broad and keyword-dense compared to what is needed for a functional description. File:
SKILL.mdRemediation: Trim the description to a concise functional summary. Avoid embedding explicit trigger phrases in the description field, as this can be used to manipulate skill activation frequency. -
π΅ LOW
LLM_UNAUTHORIZED_TOOL_USEβ Many Referenced Files Are Missing from the Skill PackageThe skill references numerous files in assets/, templates/, and references/ directories, but many of these files are not present in the skill package (e.g., assets/openalex.md, templates/semantic-scholar.md, assets/biorxiv.md, etc.). Only a subset of the references/ files are present. Missing reference files could cause the agent to fail silently or attempt to fetch instructions from alternative sources. More critically, if an attacker could place files at these expected paths, they could inject malicious instructions that the agent would treat as trusted reference material. File:
SKILL.mdRemediation: Ensure all referenced files are included in the skill package. Document which files are optional vs required. Consider adding a manifest check or graceful fallback when reference files are missing, rather than allowing the agent to proceed without them. -
π΅ LOW
LLM_COMMAND_INJECTIONβ Python eval/exec Usage Detected in Referenced Markdown Code BlockThe static pre-scan flagged a Python code block in the referenced files that uses eval or exec. Reviewing the referenced files, the OpenAlex reference file (references/openalex.md) contains a Python code snippet for reconstructing abstract inverted indexes. While this snippet appears benign and is presented as documentation/example code rather than executable instructions, the presence of eval/exec patterns in skill reference files warrants attention. If the agent were to execute code blocks found in reference files without validation, this could be exploited. File:
references/openalex.mdRemediation: Confirm that the flagged eval/exec usage is only in documentation examples and not in executable scripts. Ensure the agent does not blindly execute code blocks found in reference files. The reconstruct() function itself appears safe, but the pattern should be reviewed in context of all reference files.
-
π΅ LOW
LLM_COMMAND_INJECTIONβ Static Analyzer Flagged Python eval/exec in Markdown Code BlockThe pre-scan static analyzer reported a finding 'MDBLOCK_PYTHON_EVAL_EXEC' indicating a Python code block in one of the 13 markdown files uses eval/exec. However, reviewing the provided SKILL.md instruction body, no such code block is visible in the supplied content. This may be a false positive from the static analyzer triggered by documentation examples, or it may exist in one of the other 12 markdown files not provided for review. If eval/exec is present in any executable code block that the agent might run, it could represent a command injection risk. File:
SKILL.mdRemediation: Review all 13 markdown files in the skill package to locate the code block containing eval/exec. If it is in an instructional/documentation context only and not executed by the agent, it is likely a false positive. If it is in an executable context, replace eval/exec with safe, explicit alternatives and validate all inputs before processing. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Authentication Credential Handling via CLI LoginThe skill instructs users to run 'pz login' to authenticate with the Paperzilla service. The skill does not document how credentials are stored, whether they are stored securely (e.g., OS keychain vs. plaintext config file), or what data is transmitted during authentication. If the CLI stores credentials in a plaintext file (e.g., ~/.config/pz/credentials), other processes or skills could read them. This is a low-severity informational concern given the CLI is from the skill author. File:
SKILL.mdRemediation: Document how 'pz login' stores credentials and ensure the CLI uses OS-level secure storage (keychain/credential manager). Avoid storing tokens in plaintext configuration files. The PZ_API_URL environment variable should be validated to prevent redirection to attacker-controlled servers. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned External CLI Installation via Homebrew, Scoop, and GitHubThe skill instructs installation of the 'pz' CLI via Homebrew tap (paperzilla-ai/tap/pz), Scoop bucket from GitHub (https://github.com/paperzilla-ai/scoop-bucket), and a GitHub source repository (https://github.com/paperzilla-ai/pz). None of these installation methods pin to a specific version or hash. A compromised tap, scoop bucket, or GitHub repository could deliver a malicious binary to the user's machine without detection. The skill also references 'pz update' which auto-updates the CLI, further expanding the supply chain attack surface. File:
SKILL.mdRemediation: Pin CLI installations to specific verified versions (e.g., brew install paperzilla-ai/tap/pz@1.2.3). Document expected version hashes or checksums. Advise users to verify the integrity of the CLI binary before use. Consider providing signed releases with verifiable provenance.
-
π΅ LOW
LLM_COMMAND_INJECTIONβ Static Analyzer Flagged eval/exec Usage in Markdown Code BlocksThe pre-scan static analyzer flagged multiple instances of MDBLOCK_PYTHON_EVAL_EXEC in the SKILL.md markdown code blocks. Review of the visible code blocks does not reveal explicit eval/exec calls in the instructional examples, but the static analyzer detected them. If any code block examples use eval/exec with user-controlled input (e.g., from PDF metadata or extracted text), this could lead to code injection when the agent executes those examples. File:
SKILL.mdRemediation: Audit all Python code blocks in SKILL.md for any use of eval(), exec(), or similar dynamic execution functions. Remove or replace any such patterns with safe alternatives. Ensure that PDF metadata, extracted text, or user-provided filenames are never passed to eval/exec. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Proprietary License Without Disclosed TermsThe skill declares 'Proprietary. LICENSE.txt has complete terms' but no LICENSE.txt content is provided or analyzed. This opacity could conceal data collection, telemetry, or usage restrictions that affect user privacy and security. Users cannot assess what rights or obligations apply. File:
SKILL.mdRemediation: Include the full LICENSE.txt content in the skill package and make it accessible. Prefer open-source licenses for transparency. At minimum, ensure the license does not permit data collection or exfiltration. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Over-Broad Skill Description Triggers Excessive ActivationThe skill description is extremely broad: 'Use this skill whenever the user wants to do anything with PDF files... If the user mentions a .pdf file or asks to produce one, use this skill.' This maximally broad activation trigger could cause the skill to be invoked for any PDF-related mention, including benign or unrelated contexts, inflating its activation scope beyond what is necessary. File:
SKILL.mdRemediation: Narrow the activation description to specific, well-defined use cases rather than 'anything with PDF files' or 'any mention of .pdf'. This reduces unintended activation and limits the skill's attack surface. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Python Dependencies Installed Without Version PinsThe SKILL.md instructions reference multiple Python libraries (pypdf, pdfplumber, reportlab, pytesseract, pdf2image, pandas) without specifying pinned versions. The pre-scan also flagged referenced files (pypdf.py, pdf2image.py, etc.) as not found, suggesting these are external dependencies. Unpinned dependencies are vulnerable to supply chain attacks where a malicious version could be installed. File:
SKILL.mdRemediation: Pin all dependency versions (e.g., 'pip install pytesseract==0.3.10 pdf2image==1.17.0'). Consider using a requirements.txt with hashed dependencies for reproducible and secure installs. -
π΅ LOW
LLM_UNAUTHORIZED_TOOL_USEβ Missing allowed-tools DeclarationThe skill does not declare an 'allowed-tools' field in its YAML manifest. While this field is optional per the spec, its absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) this skill may use. Given the skill executes Python scripts that write files, read PDFs, and run shell commands, explicit tool declarations would improve security posture and auditability. File:
SKILL.mdRemediation: Add an explicit 'allowed-tools' declaration listing only the tools required (e.g., [Python, Bash, Read, Write]) to limit the skill's operational scope and make its capabilities auditable.
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools MetadataThe skill manifest does not specify the 'allowed-tools' field. While this is optional per the agent skills spec, documenting which tools are required (Python, Bash for installation commands) would improve transparency and security posture. File:
SKILL.mdRemediation: Add 'allowed-tools: [Python, Bash]' to the YAML frontmatter to explicitly declare the tools this skill requires. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing Compatibility MetadataThe skill manifest does not specify the 'compatibility' field, which would indicate which platforms or environments the skill is designed to work with. File:
SKILL.mdRemediation: Add a 'compatibility' field to the YAML frontmatter specifying supported environments (e.g., 'Claude.ai, Claude Code, API'). -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package Installation InstructionsThe skill instructs users to install packages using 'uv pip install pennylane' and various plugins without version pinning. This could expose users to supply chain attacks if a malicious version is published to PyPI. File:
SKILL.mdRemediation: Pin package versions in installation instructions (e.g., 'uv pip install pennylane==0.38.0') to prevent inadvertent installation of malicious or breaking versions. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ API Token Hardcoding Pattern Demonstrated in ExamplesThe devices_backends.md reference file shows example code with placeholder API tokens and credentials passed directly as string arguments (ibmqx_token, api_key, subscription_id). While these are placeholders, the pattern encourages users to hardcode credentials in their code rather than using environment variables or secure credential stores. File:
references/devices_backends.mdRemediation: Update example code to demonstrate secure credential handling using environment variables (e.g., os.environ.get('IBMQ_TOKEN')) rather than inline string placeholders that encourage hardcoding. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package Installations in Reference FilesMultiple reference files (references/devices_backends.md, references/advanced_features.md) also contain unpinned 'uv pip install' commands for hardware plugins and Catalyst. Consistent lack of version pinning across all documentation increases supply chain risk. File:
references/devices_backends.mdRemediation: Pin all package versions in installation instructions across all reference files.
-
π΅ LOW
LLM_PROMPT_INJECTIONβ Missing Referenced Files May Allow Substitution with Malicious ContentSeveral referenced files are missing from the skill package: polars_bio.py, polars.py, templates/pileup_operations.md, assets/file_io.md, assets/sql_processing.md, assets/interval_operations.md, templates/interval_operations.md, templates/file_io.md, assets/pileup_operations.md, templates/sql_processing.md. If these files are later added by a third party or resolved from an unexpected location, they could introduce malicious instructions. The skill references these files as authoritative documentation sources, creating a trust delegation risk. File:
SKILL.mdRemediation: Remove references to non-existent files, or ensure all referenced files are bundled with the skill package. Audit any files added to the package in the future before deployment. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Over-Broad Capability Claims in DescriptionThe skill description claims to be a 'faster bioframe alternative' and lists extensive capabilities (cloud-native, streaming, SQL interface, 8 file formats, multiple interval operations). While these may be accurate for the underlying library, the skill itself contains no executable scripts and relies entirely on the polars-bio Python package. The description may inflate perceived capabilities beyond what the skill itself provides, potentially triggering unwanted activation for genomic tasks where the library isn't installed. File:
SKILL.mdRemediation: Clarify that the skill provides guidance and code examples for the polars-bio library, and that the library must be installed separately. Add installation prerequisites to the description. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Cloud Credential Exposure via Environment VariablesThe file_io.md reference explicitly instructs users to configure cloud credentials via environment variables (AWS_ACCESS_KEY_ID, GOOGLE_APPLICATION_CREDENTIALS) for authenticated cloud storage access. While this is standard practice, the skill provides no warnings about credential security, secret management, or the risks of exposing credentials in code or shell history. Code examples show direct cloud URI usage without any security caveats. File:
references/file_io.mdRemediation: Add security guidance around credential management: recommend using credential managers, IAM roles, or secrets managers rather than raw environment variables. Warn against hardcoding credentials in scripts.
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ Missing allowed-tools DeclarationThe skill does not declare an allowed-tools field in its YAML manifest. The skill executes Python scripts, Bash commands (soffice, pdftoppm), and performs file system operations including reading, writing, and deleting files. Without an explicit allowed-tools declaration, there is no manifest-level constraint on what tools the agent may use when executing this skill. File:
SKILL.mdRemediation: Add an explicit allowed-tools declaration to the YAML manifest listing the tools actually needed: [Bash, Python, Read, Write]. This provides transparency and allows runtime enforcement of tool restrictions. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Overly Broad Skill Activation DescriptionThe skill description is extremely broad and instructs the agent to activate 'any time a .pptx file is involved in any way' and to 'trigger whenever the user mentions deck, slides, presentation, or references a .pptx filename, regardless of what they plan to do with the content afterward.' This over-broad activation scope could cause the skill to be invoked in contexts where it is not needed or appropriate, potentially consuming resources unnecessarily or interfering with other skills. File:
SKILL.mdRemediation: Narrow the activation criteria to cases where actual PPTX file creation, editing, or parsing is required. Avoid triggering on casual mentions of presentation-related terms when no file operation is needed. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package DependenciesThe skill's dependency section specifies packages without version pins (e.g., 'pip install markitdown[pptx]', 'pip install Pillow', 'npm install -g pptxgenjs'). Unpinned dependencies are vulnerable to supply chain attacks where a malicious version of a package could be installed. This is particularly relevant for npm global installs which have broad system access. File:
SKILL.mdRemediation: Pin all dependencies to specific verified versions (e.g., 'pip install markitdown[pptx]==0.x.x', 'npm install -g pptxgenjs@3.x.x'). Consider using a requirements.txt or package.json with locked versions and integrity hashes. -
π΅ LOW
LLM_COMMAND_INJECTIONβ Python eval/exec Usage in Validator CodeThe static analyzer flagged a potential eval/exec usage in the Python code blocks. Upon review, the actual scripts use defusedxml.minidom for XML parsing (a security-hardened library) and lxml.etree for validation. No direct eval() or exec() calls were found in the reviewed scripts. The flag may be a false positive from pattern matching on code examples within markdown documentation blocks (e.g., pptxgenjs.md contains JavaScript code blocks that could trigger Python-pattern scanners). No actual dangerous eval/exec usage was identified in the Python scripts. File:
scripts/office/validators/base.pyRemediation: No action required. The static analyzer finding appears to be a false positive. Continue using defusedxml for XML parsing as currently implemented.
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ Missing allowed-tools DeclarationThe skill does not declare an 'allowed-tools' field in its YAML manifest. While this is optional per the spec, the skill executes Python scripts, reads/writes files, and performs network-adjacent operations (pip install, external documentation links). Declaring allowed tools improves transparency and auditability. File:
SKILL.mdRemediation: Add an explicit 'allowed-tools' field to the YAML frontmatter, e.g., allowed-tools: [Python, Bash, Read, Write] -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Dependency InstallationThe installation instruction uses 'uv pip install pydeseq2' without pinning a specific version. This could allow a compromised or malicious version of the pydeseq2 package to be installed if the package registry is compromised or if a typosquatting package exists. File:
SKILL.mdRemediation: Pin the dependency to a specific known-good version, e.g., 'uv pip install pydeseq2==0.4.1'. Also consider verifying package integrity via hash checking. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Pickle Deserialization of Potentially Untrusted DataThe skill saves and loads DeseqDataSet objects using Python's pickle module. Pickle deserialization of untrusted data can lead to arbitrary code execution. While the current usage appears to serialize/deserialize locally generated objects, the workflow guide also shows loading from user-provided pickle files, which could be malicious. File:
scripts/run_deseq2_analysis.py:175Remediation: Avoid loading pickle files from untrusted sources. Document clearly that pickle files should only be loaded from trusted, locally-generated sources. Consider using safer serialization formats (e.g., HDF5/AnnData .h5ad) for data exchange.
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools Manifest FieldThe SKILL.md YAML frontmatter does not specify the 'allowed-tools' field. While this field is optional per the agent skills spec, its absence means there are no declared restrictions on which agent tools this skill can invoke. The skill executes Python scripts, reads/writes files, and installs packages, so declaring allowed tools would improve transparency and security posture. File:
SKILL.mdRemediation: Add an explicit 'allowed-tools' field to the YAML frontmatter listing the tools actually needed, e.g., 'allowed-tools: [Python, Bash, Read, Write]'. This improves auditability and helps agents enforce least-privilege execution. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package DependenciesThe SKILL.md installation instructions use unpinned package versions (e.g., 'uv pip install pydicom', 'uv pip install pillow', 'uv pip install numpy', etc.). Without version pinning, the skill is vulnerable to supply chain attacks where a malicious version of a dependency could be installed. This is particularly concerning for a medical imaging skill that handles sensitive patient data (PHI/DICOM files). File:
SKILL.mdRemediation: Pin all dependencies to specific versions, e.g., 'uv pip install pydicom==2.4.4 pillow==10.2.0 numpy==1.26.4'. Consider using a requirements.txt or pyproject.toml with locked versions and hash verification. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Missing Skill Version and Author ProvenanceThe skill manifest lacks a version field and the license field points to a GitHub URL rather than specifying the license type directly. While a skill-author is present ('K-Dense Inc.'), the absence of a version number makes it difficult to track updates, verify integrity, or detect if the skill has been tampered with or substituted with a malicious version. File:
SKILL.mdRemediation: Add explicit version, license type (e.g., 'MIT'), and compatibility fields to the YAML frontmatter. Consider adding a checksum or signature mechanism for skill integrity verification. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Incomplete PHI Anonymization - Potential Data Exposure RiskThe anonymize_dicom.py script and SKILL.md anonymization workflow do not anonymize DICOM UIDs (StudyInstanceUID, SeriesInstanceUID, SOPInstanceUID) by default - this code is commented out. UIDs can be used to re-identify patients or link anonymized datasets back to original studies. Additionally, the anonymization list may be incomplete relative to the full DICOM PS 3.15 Annex E de-identification profile, potentially leaving PHI fields unaddressed. This is a data exposure risk when users rely on this skill for HIPAA/GDPR-compliant anonymization. File:
scripts/anonymize_dicom.py:70Remediation: Document clearly that this anonymization is NOT compliant with DICOM PS 3.15 Annex E or HIPAA Safe Harbor. Warn users that UIDs are not anonymized by default and that additional PHI tags beyond the listed ones may exist. Consider implementing a full de-identification profile or referencing a validated tool like deid or dicomanon.
- π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools and compatibility metadataThe SKILL.md manifest does not specify 'allowed-tools' or 'compatibility' fields. While these are optional per the agent skills spec, their absence means there are no declared restrictions on which agent tools this skill may invoke. Given the skill executes Python code, writes files, and performs MCMC sampling, documenting these capabilities would improve transparency. File:
SKILL.mdRemediation: Add 'allowed-tools: [Python]' and a 'compatibility' field to the YAML frontmatter to document the skill's intended tool usage and environment requirements.
- π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing Compatibility and Allowed-Tools MetadataThe SKILL.md manifest does not specify 'compatibility' or 'allowed-tools' fields. While these are optional per the agent skills spec, their absence means there are no declared restrictions on which agent tools this skill may invoke, reducing transparency about the skill's intended operational scope. File:
SKILL.mdRemediation: Add 'compatibility' and 'allowed-tools' fields to the YAML frontmatter to clearly declare the skill's intended environment and tool restrictions. For example: allowed-tools: [Python, Bash]
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ Unpinned Package Installation via pip/uvThe SKILL.md instructs installation of PyTDC using 'uv pip install PyTDC' and 'uv pip install PyTDC --upgrade' without version pinning. This means the agent will always install the latest version of PyTDC and its dependencies (numpy, pandas, tqdm, seaborn, scikit_learn, fuzzywuzzy), which could introduce supply chain risks if the package is compromised or a malicious version is published. The '--upgrade' flag is particularly risky as it actively seeks newer versions. File:
SKILL.mdRemediation: Pin the PyTDC version to a known-good release, e.g., 'uv pip install PyTDC==0.4.1'. Avoid using --upgrade in automated contexts without version validation. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools and compatibility MetadataThe skill manifest does not specify 'allowed-tools' or 'compatibility' fields. The scripts execute Python code, make network calls to download datasets from TDC servers, and write data to local directories (e.g., 'data/' path in benchmark_evaluation.py). Without declared tool restrictions, the agent has no manifest-level constraints on what operations it can perform. File:
SKILL.mdRemediation: Add 'allowed-tools: [Python, Bash]' and 'compatibility' fields to the YAML manifest to clearly document expected tool usage and environment requirements. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Third-Party Dependencies with Automatic InstallationThe skill notes that 'Additional packages are installed automatically as needed for specific features.' This means PyTDC may silently install additional packages (e.g., scipy, rdkit, torch-geometric) at runtime without user awareness or version pinning. The scripts also import scipy.stats dynamically within functions. This creates a supply chain risk where transitive dependencies could be compromised. File:
SKILL.mdRemediation: Document all required dependencies with pinned versions. Avoid silent automatic installation of packages. Use a requirements.txt or pyproject.toml with locked versions.
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing Compatibility MetadataThe YAML manifest does not specify a 'compatibility' field, which is listed as 'Not specified'. While this is a minor documentation gap, it means users cannot determine which environments or agent platforms this skill is designed to work with, potentially leading to unexpected behavior. File:
SKILL.mdRemediation: Add a compatibility field to the YAML frontmatter specifying supported platforms (e.g., 'Claude.ai, Claude Code, API') to help users understand the intended deployment context. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ API Key Exposed in Code ExamplesThe skill's documentation and reference files contain hardcoded example API keys (e.g., 'ABC1234XYZ') in multiple code snippets. While these appear to be placeholder/example values, the pattern of embedding API keys directly in code is demonstrated throughout the skill, which could encourage users to hardcode real credentials in their scripts rather than using environment variables. File:
references/authentication.mdRemediation: Ensure all code examples consistently use environment variable patterns (os.environ['ZOTERO_API_KEY']) rather than inline placeholder strings. Add explicit warnings in examples that real API keys must never be hardcoded. -
π΅ LOW
LLM_RESOURCE_ABUSEβ Unbounded Collection Traversal PatternThe skill documents and encourages use of zot.everything() which makes unlimited sequential API calls to retrieve all items from a library. For large Zotero libraries with thousands of items, this could result in excessive API calls, rate limiting, and prolonged resource consumption. The pagination reference explicitly notes 'large libraries may take time' but does not enforce any safeguards. File:
references/pagination.mdRemediation: Add guidance on using 'since=version' for incremental sync rather than full traversal. Recommend setting reasonable limits and implementing progress checks for large libraries. Document expected API call counts for typical library sizes.
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ Multiple Referenced Files Not Found in Skill PackageThe skill references numerous files that are not present in the package: assets/setup.md, assets/backends.md, scipy.py, assets/algorithms.md, templates/patterns.md, templates/visualization.md, qiskit.py, assets/visualization.md, templates/transpilation.md, assets/patterns.md, assets/circuits.md, templates/circuits.md, templates/setup.md, templates/primitives.md, templates/backends.md, templates/algorithms.md, assets/transpilation.md, assets/primitives.md, qiskit_ibm_runtime.py. The presence of qiskit.py and qiskit_ibm_runtime.py as referenced but missing files is notable - if these were present, they could shadow the legitimate qiskit and qiskit_ibm_runtime packages. File:
SKILL.mdRemediation: Remove references to non-existent files or include them in the package. Investigate why qiskit.py and qiskit_ibm_runtime.py are referenced - if these were present, they could shadow legitimate Python packages and constitute a supply chain attack vector. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Potentially Inflated Capability Claims in DescriptionThe skill description and SKILL.md overview make specific performance claims ('83x faster transpilation than competitors', '29% fewer two-qubit gates', '13M+ downloads') that serve as marketing language. While these may be accurate for specific versions/benchmarks, presenting them as general facts in the skill manifest could mislead users about expected performance. The description also claims support for 'IonQ, Amazon Braket, and other providers' which requires additional third-party packages not installed by default. File:
SKILL.mdRemediation: Qualify performance claims with version numbers and benchmark conditions. Clarify which features require additional package installations beyond the base qiskit package. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ API Token Exposed in Documentation ExamplesThe setup documentation (references/setup.md) and backends documentation (references/backends.md) include placeholder API token strings in code examples. While these are placeholders ("YOUR_IBM_QUANTUM_TOKEN"), the pattern of embedding tokens directly in code is demonstrated as the primary method, which could encourage users to hardcode real credentials in scripts. Additionally, the environment variable method is presented as an alternative rather than the preferred approach. File:
references/setup.mdRemediation: Emphasize environment variable usage as the primary recommended approach. Add explicit warnings against hardcoding real API tokens in scripts. Consider adding a note about using secrets managers. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package DependenciesAll installation instructions throughout the skill use unpinned package versions (e.g., 'uv pip install qiskit', 'uv pip install qiskit-nature', 'uv pip install qiskit-machine-learning'). Without version pinning, the skill is susceptible to supply chain attacks where a compromised or malicious package version could be installed. This affects multiple referenced files including setup.md, algorithms.md, and visualization.md. File:
references/setup.mdRemediation: Pin all package versions to known-good releases (e.g., 'uv pip install qiskit==1.x.x'). Provide a requirements.txt or pyproject.toml with pinned dependencies and hash verification.
-
π΅ LOW
LLM_COMMAND_INJECTIONβ Use of pickle for Molecule SerializationThe SKILL.md instructions recommend using Python's pickle module for storing and loading RDKit molecule objects for performance. Pickle deserialization is inherently unsafe when loading data from untrusted sources, as malicious pickle payloads can execute arbitrary code during deserialization. While the instructions don't explicitly direct loading user-supplied pickle files, recommending pickle as a best practice without security caveats could lead users or the agent to deserialize untrusted data. File:
SKILL.mdRemediation: Add a security warning in the instructions noting that pickle files should only be loaded from trusted sources. Consider recommending safer serialization alternatives such as storing canonical SMILES strings or using SDF format for persistence instead of pickle. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Missing allowed-tools DeclarationThe skill manifest does not declare an allowed-tools field. The scripts perform file I/O (reading SDF/SMILES files, writing CSV/SDF output), execute Python code, and access the filesystem. While this is expected behavior for a cheminformatics toolkit, the absence of an allowed-tools declaration means there are no declared restrictions on what tools the agent may use when executing this skill. File:
SKILL.mdRemediation: Add an explicit allowed-tools declaration to the YAML frontmatter, e.g., allowed-tools: [Python, Read, Write] to document the intended tool scope and limit unintended tool usage. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Referenced File rdkit.py Not FoundThe SKILL.md instructions reference a file rdkit.py in the skill package, but this file was not found. This missing file could indicate an incomplete skill package. If the agent attempts to load or execute this missing file, it may fail silently or attempt to locate a file with that name from an external or unexpected source. File:
SKILL.mdRemediation: Either include the rdkit.py file in the skill package or remove the reference from the instructions. Ensure all referenced files are present and accounted for in the skill package.
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ API Key Exposed in Plaintext Code ExamplesThe SKILL.md instruction body contains multiple code examples where the API key is set directly as a hardcoded string literal:
rowan.api_key = "your_api_key_here". While these are placeholder values in documentation, this pattern actively encourages users to hardcode real API keys in scripts rather than using environment variables, increasing the risk of credential exposure in version control or logs. File:SKILL.mdRemediation: Remove or de-emphasize the direct assignment pattern in examples. Prioritize the environment variable approach (ROWAN_API_KEY) in all code samples and add explicit warnings against hardcoding credentials. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Webhook Secret Printed to Console in ExamplesThe SKILL.md instruction body includes code examples that print webhook secrets directly to stdout:
print(f"Secret key: {secret.secret}")andprint(f"New secret created (old secret disabled): {new_secret.secret}"). This pattern encourages logging sensitive secrets to console output, which may be captured in logs or terminal history. File:SKILL.mdRemediation: Replace print statements for secrets with warnings to store them securely (e.g., environment variables or secret managers). Never log secrets to stdout in example code. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Referenced Script Files Not Found (rowan.py, rdkit.py)The SKILL.md references two Python files (rowan.py and rdkit.py) that were not found in the skill package. The static pre-scan indicates 6 Python files exist but none matched these references. This discrepancy means the actual scripts being executed cannot be audited. The static analyzer flagged environment variable access with network calls across 6 files and a cross-file exfiltration chain, but the specific files could not be reviewed. This represents an incomplete security posture assessment. File:
SKILL.mdRemediation: Ensure all referenced script files are included in the skill package for auditability. The unreviewed Python files flagged by the static analyzer for environment variable access and network calls should be inspected manually to confirm they only access ROWAN_API_KEY and only communicate with legitimate Rowan API endpoints. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Broad Trigger Keywords May Cause Unintended Skill ActivationThe YAML manifest includes a
trigger-keywordsfield with broad terms such as 'drug discovery', 'SMILES', 'protein structure', and 'batch molecular modeling'. These keywords are common in general chemistry and biology discussions and could cause the skill to activate in contexts where it is not needed, potentially consuming user credits or initiating unintended API calls to the Rowan platform. File:SKILL.mdRemediation: Narrow trigger keywords to more specific, unambiguous phrases that clearly indicate intent to use the Rowan platform specifically, rather than general chemistry terminology. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package Installation InstructionThe SKILL.md instructs users to install
rowan-pythonwithout a pinned version:uv pip install rowan-pythonandpip install rowan-python. Unpinned package installations are vulnerable to supply chain attacks where a malicious version could be published to PyPI and automatically installed by users following these instructions. File:SKILL.mdRemediation: Pin the package to a specific known-good version (e.g.,pip install rowan-python==X.Y.Z) and document the expected version. Consider including a hash verification step for security-sensitive deployments.
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ Missing allowed-tools DeclarationThe SKILL.md manifest does not specify an 'allowed-tools' field. While this is optional per the agent skills spec, the skill executes Python scripts, writes files, and performs file I/O operations. Declaring allowed tools would improve transparency and security posture. File:
SKILL.mdRemediation: Add 'allowed-tools: [Python, Bash]' to the YAML frontmatter to explicitly declare the tools this skill uses. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ License Field Contains Non-Standard ValueThe manifest declares 'SD-3-Clause license' which is not a recognized SPDX license identifier. The standard BSD 3-Clause license identifier is 'BSD-3-Clause'. This may be a typo or intentional obfuscation of the actual license terms. File:
SKILL.mdRemediation: Correct the license field to use a valid SPDX identifier such as 'BSD-3-Clause' if that was the intended license.
- π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools and compatibility metadataThe SKILL.md manifest does not specify 'allowed-tools' or 'compatibility' fields. While these are optional per the agent skills spec, their absence means there are no declared restrictions on which agent tools this skill may invoke. Given the skill's stated purpose (conversational brainstorming), this is a minor informational gap rather than an active threat. File:
SKILL.mdRemediation: Add 'allowed-tools' to the YAML frontmatter to explicitly declare which tools are needed (e.g., [Read] for reading the references file). Add 'compatibility' to clarify supported environments.
- π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools Manifest FieldThe SKILL.md manifest does not specify the 'allowed-tools' field. While this is optional per the agent skills spec, the skill executes Python scripts and performs file I/O (saving PNG files), so documenting the required tools would improve transparency. File:
SKILL.mdRemediation: Add 'allowed-tools: [Python, Bash]' to the YAML frontmatter to explicitly declare the tools this skill uses.
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools Manifest FieldThe SKILL.md YAML frontmatter does not declare an
allowed-toolsfield. While this field is optional per the agent skills spec, its absence means there are no declared restrictions on which agent tools this skill may invoke. The script performs file I/O (writing .h5ad files, saving figures) and could benefit from explicit tool declarations for transparency. File:SKILL.mdRemediation: Add an explicitallowed-toolsfield to the YAML frontmatter, e.g.,allowed-tools: [Python, Read, Write], to document the intended tool usage scope. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package Installation RecommendedThe SKILL.md instructions recommend installing scVelo via
pip install scvelowithout a version pin. This means any future compromised or malicious version of the scvelo package on PyPI could be installed automatically. While this is a common practice in documentation, it represents a supply chain risk in automated or reproducible environments. File:SKILL.mdRemediation: Pin the package version in installation instructions, e.g.,pip install scvelo==0.3.2. Consider using a requirements.txt or environment.yml with pinned versions for reproducibility and security. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Referenced Files Not Found (scanpy.py, matplotlib.py, scvelo.py)The SKILL.md instructions reference three files β scanpy.py, matplotlib.py, and scvelo.py β that are not present in the skill package. These appear to be false positives from the static analyzer interpreting Python import statements as file references rather than actual file references. However, if these were intended as bundled helper modules, their absence could cause runtime failures or unexpected behavior if the agent attempts to locate them. File:
SKILL.mdRemediation: Verify that these are not intended as bundled files. If they are Python import references only, no action is needed. If they were intended as helper scripts, include them in the skill package.
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Over-Broad Referenced File Inventory with Many Missing FilesThe skill references a large number of files across multiple directories (assets/, templates/, references/) that do not exist in the package. While the core reference files are present, the extensive list of missing files (assets/differential-expression.md, templates/workflows.md, scvi.py, scanpy.py, etc.) suggests either incomplete packaging or an attempt to inflate perceived scope. The references to scvi.py and scanpy.py as if they are local scripts is notable since these are actually PyPI packages, not local files. File:
SKILL.mdRemediation: Remove references to non-existent files. Do not reference scvi.py and scanpy.py as if they are local skill scripts when they are external PyPI packages. Ensure all referenced files are actually bundled with the skill package. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Static Analyzer Flags Potential Environment Variable Exfiltration Chain Across FilesThe pre-scan static analyzer detected signals for environment variable access combined with network calls across a cross-file chain involving 3 files. However, reviewing all provided file contents (SKILL.md and all referenced markdown files), no Python or Bash scripts are present in the package, and no actual code performing environment variable access or network exfiltration was found in the reviewed content. The static analyzer may have flagged patterns in the markdown code examples (e.g., os.getpid(), psutil, requests usage in workflows.md). These are documentation examples, not executable skill scripts. The risk is low but warrants noting. File:
references/workflows.mdRemediation: Confirm that no actual executable Python scripts are bundled with this skill that perform environment variable harvesting or network exfiltration. The code examples in markdown reference files appear to be documentation only. If scripts are added in the future, ensure they do not combine os.environ access with outbound network calls.
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ Missing allowed-tools DeclarationThe skill does not declare an 'allowed-tools' field in its YAML manifest. While this field is optional per the agent skills spec, its absence means there are no declared restrictions on what tools the agent can use when executing this skill. The skill instructs the agent to use the Read tool to load reference files, and the code examples involve file I/O (joblib.dump/load), network calls (mlflow logging), and potentially executing Python code. Without allowed-tools constraints, the agent has unconstrained tool access. File:
SKILL.mdRemediation: Add an explicit 'allowed-tools' declaration to the YAML manifest, e.g., 'allowed-tools: [Read, Python]' to constrain the agent to only the tools needed for SHAP analysis. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Over-Broad Capability Claims in Skill DescriptionThe skill description is very broad, claiming to work with 'any black-box model' and listing numerous trigger phrases. While this is largely accurate for the SHAP library, the extensive keyword list in the 'When to Use This Skill' section could lead to over-activation of the skill in contexts where it may not be the most appropriate tool. This is a minor concern as the claims are generally accurate. File:
SKILL.mdRemediation: Consider narrowing the trigger phrases to more specific SHAP-related queries to avoid over-activation. The current list is broad but not malicious. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package Installation InstructionsThe installation section recommends installing packages without version pins. This creates a supply chain risk where a compromised or malicious version of the shap, matplotlib, xgboost, lightgbm, tensorflow, or torch packages could be installed. The use of 'uv pip install -U shap' explicitly installs the latest version, which could include a compromised release. File:
SKILL.mdRemediation: Pin package versions in installation instructions, e.g., 'uv pip install shap==0.44.0 matplotlib==3.8.0'. This ensures reproducibility and protects against supply chain attacks via version updates.
- π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools and compatibility metadataThe SKILL.md manifest does not specify 'allowed-tools' or 'compatibility' fields. While these are optional per the agent skills spec, their absence means there are no declared restrictions on what tools the agent may use when executing this skill. Given the skill executes Python scripts and writes CSV files, documenting these would improve transparency. File:
SKILL.mdRemediation: Add 'allowed-tools: [Python]' and a 'compatibility' field to the YAML frontmatter to document intended tool usage and platform support.
- π΅ LOW
LLM_DATA_EXFILTRATIONβ Missing allowed-tools DeclarationThe skill does not declare an 'allowed-tools' field in its YAML manifest. While this is optional per the agent skills spec, the skill executes Python scripts that perform file I/O, subprocess creation (SubprocVecEnv), and directory creation. Documenting the intended tool permissions improves transparency and auditability. File:
SKILL.mdRemediation: Add an explicit 'allowed-tools' field to the YAML frontmatter listing the tools the skill requires, e.g., allowed-tools: [Python, Bash].
-
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing allowed-tools Manifest FieldThe SKILL.md manifest does not specify the 'allowed-tools' field. While this is optional per the agent skills spec, the skill executes Python code (assumption_checks.py) and references multiple scripts. Documenting allowed tools improves transparency and helps agents enforce appropriate restrictions. File:
SKILL.mdRemediation: Add an explicit 'allowed-tools' field to the YAML frontmatter, e.g., 'allowed-tools: [Python]', to document the tools this skill requires. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing Compatibility Field in ManifestThe SKILL.md manifest does not specify the 'compatibility' field. This reduces transparency about which environments the skill is designed to operate in. File:
SKILL.mdRemediation: Add a 'compatibility' field to the YAML frontmatter specifying supported environments (e.g., 'Claude.ai, Claude Code, API').
-
π΅ LOW
LLM_COMMAND_INJECTIONβ Python eval/exec Pattern Detected in Code BlocksThe static pre-scan flagged a Python code block containing eval or exec usage (MDBLOCK_PYTHON_EVAL_EXEC). While the code blocks in SKILL.md appear to be illustrative examples for TileDB-VCF usage and no explicit eval/exec call was found in the visible content, the static analyzer detected this pattern. If the agent executes these code blocks directly, any eval/exec usage could allow arbitrary code execution if user-controlled input is passed to these calls. File:
SKILL.mdRemediation: Review all Python code blocks in SKILL.md for any eval() or exec() calls. If present, replace with safer alternatives. Ensure user-supplied input is never passed to eval/exec. If these are purely illustrative examples, add a clear disclaimer that they should not be executed verbatim with untrusted input. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Missing allowed-tools MetadataThe skill does not specify the 'allowed-tools' field in its YAML manifest. While this field is optional per the agent skills spec, its absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) can be invoked. Given that the skill instructs the agent to run Python code and Bash commands, declaring allowed tools would improve transparency and reduce the risk of unintended tool use. File:
SKILL.mdRemediation: Add an explicit 'allowed-tools' field to the YAML frontmatter, e.g., 'allowed-tools: [Bash, Python, Read, Write]', to document and restrict the tools this skill is permitted to use. -
π΅ LOW
LLM_DATA_EXFILTRATIONβ Referenced Script Files Not FoundThe SKILL.md references two Python files (tiledbvcf.py and tiledb.py) that were not found in the skill package. This means the agent may attempt to load or execute files that do not exist, or these files may be expected to be provided externally. If these files are sourced from external or user-provided locations, they could introduce untrusted code execution risks. File:
SKILL.mdRemediation: Ensure all referenced files are bundled within the skill package. If these are standard library imports rather than local files, clarify this in the documentation. Do not load externally sourced Python files without validation. -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Unpinned Package Installation InstructionsThe skill instructs users to install packages without version pinning (e.g., 'pip install tiledb-cloud', 'pip install tiledb-cloud[life-sciences]', and conda/mamba installs without pinned versions). Unpinned dependencies are vulnerable to supply chain attacks where a malicious version of a package could be published and automatically installed. File:
SKILL.mdRemediation: Pin all package versions to known-good releases (e.g., 'pip install tiledb-cloud==0.12.3'). Use a requirements.txt or conda environment.yml with locked versions. Consider using hash verification for pip installs.
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ Unpinned Package Versions in Installation InstructionsThe SKILL.md installation instructions recommend installing timesfm and torch without pinned versions (e.g., 'uv pip install timesfm[torch]', 'pip install torch>=2.0.0'). Unpinned or loosely-pinned dependencies can allow supply chain attacks if a malicious version is published to PyPI. The torch installation uses a minimum version constraint (>=2.0.0) rather than an exact pin. File:
SKILL.mdRemediation: Pin all dependencies to exact versions (e.g., 'pip install timesfm==2.5.0 torch==2.4.1'). Consider using a lockfile (uv.lock or requirements.txt with hashes) to ensure reproducible installs. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Missing compatibility Field in YAML ManifestThe YAML manifest does not specify a 'compatibility' field, which is listed as 'Not specified'. This means users cannot determine which agent environments this skill is compatible with from the manifest alone. This is a minor documentation gap rather than a security threat, but it reduces transparency about the skill's intended deployment context. File:
SKILL.mdRemediation: Add a compatibility field to the YAML frontmatter specifying the supported agent environments (e.g., 'Claude Code, API'). -
π΅ LOW
LLM_SUPPLY_CHAIN_ATTACKβ Missing Dependency Lockfile / Version Pinning for timesfm PackageThe skill installs the 'timesfm' package from PyPI without version pinning. The timesfm package is a relatively new Google Research package. Without pinned versions, a compromised or malicious update to the package could affect users who install the skill. The skill also installs optional extras ([torch], [flax], [xreg]) without version constraints. File:
SKILL.mdRemediation: Pin the timesfm package to a specific known-good version. Document the tested version in the skill manifest. Consider adding a requirements.txt with hashed dependencies. -
π΅ LOW
LLM_RESOURCE_ABUSEβ Unbounded Batch Processing Without Resource Guards in forecast_csv.pyThe forecast_csv.py script loads all CSV columns into memory as inputs and calls model.forecast() on all series at once without any upper bound on the number of series or their lengths. A very large CSV file could cause memory exhaustion. While the preflight check validates RAM before model loading, it does not validate the size of the input data being processed. File:
scripts/forecast_csv.pyRemediation: Add a maximum series count and maximum series length check before calling model.forecast(). Implement chunked processing for large inputs (as shown in the SKILL.md memory-constrained workflow section) and apply it by default in the script.
-
π΅ LOW
LLM_DATA_EXFILTRATIONβ Static Analyzer Flagged Potential Env Var Exfiltration Pattern (Unconfirmed)The pre-scan static analyzer flagged BEHAVIOR_ENV_VAR_EXFILTRATION and BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN across Python files. However, manual review of all provided skill content (SKILL.md and all referenced markdown files) shows only legitimate network calls to the official U.S. Treasury Fiscal Data API (api.fiscaldata.treasury.gov). No Python script files were found in the skill package (script files section reports 'No script files found'). The static analyzer flags may be false positives triggered by the presence of requests library usage combined with API calls in the documentation examples. No actual credential harvesting or environment variable exfiltration was identified in the reviewed content. File:
SKILL.mdRemediation: Verify that no additional Python script files exist in the skill package directory that were not provided for review. The static analyzer flags warrant manual inspection of any unreported .py files. All reviewed code only contacts the official Treasury API. -
π΅ LOW
LLM_SKILL_DISCOVERY_ABUSEβ Over-Broad Capability Claims in DescriptionThe skill description claims access to '54 datasets and 182 data tables' and lists a wide range of financial data types. While this appears to accurately describe the U.S. Treasury Fiscal Data API, the description is very broad and could trigger the skill for a wide range of financial queries beyond its actual scope. This is a minor concern as the API is legitimate and publicly documented. File:
SKILL.mdRemediation: Consider narrowing the description to the most common use cases to avoid over-broad activation. The description is otherwise accurate and benign. -
π΅ LOW
LLM_UNAUTHORIZED_TOOL_USEβ Missing allowed-tools DeclarationThe skill does not declare an 'allowed-tools' field in its YAML manifest. The skill instructs the agent to execute Python code (requests, pandas) and make network calls to the U.S. Treasury API. Without an explicit allowed-tools declaration, there is no manifest-level constraint on what tools the agent may use. This is informational only as allowed-tools is optional per the spec. File:
SKILL.mdRemediation: Add 'allowed-tools: [Python]' to the YAML frontmatter to explicitly declare that Python execution is required and limit tool scope.