The Agent Skills Directory

COMMAND_EXECUTION (HIGH): The skill explicitly states that it executes LLM-generated code with 'full system privileges'. This design allows the agent to perform unrestricted operations on the host system.
PROMPT_INJECTION (HIGH): Highly vulnerable to Indirect Prompt Injection (Category 8). Evidence: 1. Ingestion points: Ingests untrusted external biomedical data formats including .h5ad (single-cell RNA-seq) and GWAS summary statistics. 2. Boundary markers: Absent; no markers are defined to isolate data from instructions. 3. Capability inventory: 'agent.go' decomposes tasks and generates/executes dynamic analysis pipelines on the host. 4. Sanitization: Absent; the framework lacks automated sanitization and instead relies on manual user review.
EXTERNAL_DOWNLOADS (MEDIUM): Automatically downloads a massive 11GB biomedical data lake on first execution. This download originates from an unverified source and introduces a significant amount of third-party content into the environment.
REMOTE_CODE_EXECUTION (HIGH): The combination of installing a package from an untrusted source ('biomni') and the ability to execute code derived from external data inputs creates a pathway for remote code execution.
CREDENTIALS_UNSAFE (LOW): Recommends storing API keys for Anthropic, OpenAI, and other providers in .env files, which are accessible to any code executed by the agent.

biomni