scvi-tools
Warn
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Dynamic Execution] (MEDIUM): The skill utilizes
model.load()across multiple models (e.g., SCVI, PeakVI, VeloVI). In Python machine learning frameworks, these functions frequently rely onpickleortorch.loadinternally, which can be exploited for arbitrary code execution if a user loads a malicious model directory from an untrusted source. - [Indirect Prompt Injection] (MEDIUM): The skill ingests untrusted data from external files (e.g.,
.h5adfiles) viascanpy.read_h5ad. While the skill targets scientific analysis, metadata within these files (such as cell type labels or batch keys) could be used to influence agent behavior if the agent treats this metadata as instructional content. 1. Ingestion points:scanpy.read_h5adinreferences/models-atac-seq.mdandreferences/models-scrna-seq.md. 2. Boundary markers: Absent. 3. Capability inventory: File-write viamodel.save, file-read/potential-execution viamodel.load. 4. Sanitization: Absent. - [Unverifiable Dependencies & Remote Code Execution] (LOW): The installation instructions in
SKILL.mdrecommend installingscvi-toolsviapip. Althoughscvi-toolsis a reputable scientific library, the installation of third-party packages remains a potential attack vector. Per [TRUST-SCOPE-RULE], this is downgraded to LOW due to the library's established standing in the research community. - [Command Execution] (LOW): The skill performs local file system operations including reading biological datasets and writing trained models to disk (
model.save), which represents a standard capability surface for data analysis tools.
Audit Metadata