The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The skill documentation explicitly states that the agent executes code with full system privileges. Without sandboxing, this allows the agent to perform unrestricted actions on the local environment.
[REMOTE_CODE_EXECUTION] (HIGH): Through the agent.go() method, the system dynamically generates and runs code based on natural language input. This design is highly susceptible to prompt injection attacks where an attacker could provide instructions that lead to the execution of malicious scripts.
[EXTERNAL_DOWNLOADS] (MEDIUM): The framework automatically downloads approximately 11GB of biomedical data and models from external repositories (GitHub, Hugging Face) upon first use. These sources are not within the explicitly defined trusted organization list for this audit.
[PROMPT_INJECTION] (LOW): The skill is susceptible to indirect prompt injection via the processing of untrusted research data. (1) Ingestion points: User research queries via agent.go(), biological data files (.h5ad, GWAS summary stats), and integrated literature indices. (2) Boundary markers: No boundary markers or 'ignore embedded instructions' warnings are mentioned. (3) Capability inventory: Full Python code execution, file system access, and network access via MCP servers. (4) Sanitization: No sanitization or escaping of external content is described; the skill relies on manual user review of code.

biomni