pymatgen
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [Data Exposure & Exfiltration] (SAFE): The script
phase_diagram_generator.pycorrectly retrieves the Materials Project API key from an environment variable (MP_API_KEY), avoiding hardcoded credentials. Network activity is limited to fetching data from the legitimate Materials Project API. - [Indirect Prompt Injection] (SAFE): While the tools ingest untrusted structure files (CIF, POSCAR, etc.) in
structure_analyzer.pyandstructure_converter.py, the data is parsed into strict materials science objects. There is no evidence that the agent would execute instructions embedded in these data files. - [Unverifiable Dependencies & Remote Code Execution] (SAFE): The skill relies on well-known scientific libraries (
pymatgen,mp-api). No patterns of remote script execution or arbitrary command execution were found. - [Dynamic Execution] (SAFE): The skill promotes secure serialization practices using
as_dict()andfrom_dict()for JSON/YAML persistence, explicitly avoiding the security risks associated with Python'spicklemodule.
Audit Metadata