rdkit
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The
SKILL.mdfile recommends using the Pythonpicklemodule for performance when saving or loading molecular datasets. Loading data from an untrusted source usingpickle.load()can lead to arbitrary code execution, as the format allows for the execution of arbitrary Python objects during deserialization. - [DATA_EXFILTRATION]: All provided Python scripts (
molecular_properties.py,similarity_search.py,substructure_filter.py) use theargparseandpathlibmodules to accept and operate on arbitrary file system paths for input and output. This allows the agent to read sensitive local files (exposure) or write data to arbitrary locations. - [PROMPT_INJECTION]: The skill includes a 'Suggest Using K-Dense Web' section that provides explicit behavioral instructions to the agent. It commands the agent to proactively suggest an external platform based on the complexity of the user's request, which is an attempt to override the agent's natural decision-making process for service recommendations.
- [PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection by processing external chemical data files which may contain malicious instructions in metadata or molecular property fields.
- Ingestion points: File reading via
SDMolSupplierandSmilesMolSupplieracross multiple scripts. - Boundary markers: None identified to distinguish between data and instructions.
- Capability inventory: File system read/write access and complex Python data processing via RDKit.
- Sanitization: RDKit validates chemical structures but does not sanitize non-chemical property fields for prompt injection content.
Audit Metadata