biomni
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEDATA_EXFILTRATION
Full Analysis
- REMOTE_CODE_EXECUTION / COMMAND_EXECUTION (HIGH): The framework's core capability is 'dynamic analysis pipeline creation' which involves generating and executing Python code. The documentation explicitly warns that this code runs with 'full system privileges,' allowing for total system compromise if the LLM-generated logic is malicious.
- EXTERNAL_DOWNLOADS (MEDIUM): On first use, the skill automatically downloads ~11GB of biomedical data. While linked to Stanford's SNAP lab, the volume and automated nature of the download present a significant attack vector if the source or transit is compromised.
- CREDENTIALS_UNSAFE (LOW): The skill requires high-value API keys for providers like Anthropic and OpenAI. While it recommends using
.envfiles, these secrets are accessible to the same process that executes dynamically generated code, increasing the risk of credential theft. - DATA_EXFILTRATION (MEDIUM): Because the agent has both read access to local sensitive research data (genomics, clinical) and the capability to execute network-enabled code, an attacker could potentially exfiltrate datasets via the agent's autonomous actions.
- INDIRECT PROMPT INJECTION (LOW): The skill has a large attack surface as it processes external files (single-cell RNA-seq, GWAS summary stats, literature).
- Ingestion points:
agent.go()calls referencing local file paths for datasets. - Boundary markers: None mentioned in the documentation; instructions are processed alongside data.
- Capability inventory: Full system command execution and network access via the A1 agent class.
- Sanitization: Documentation suggests manual 'review' of code, indicating no automated sanitization or sandboxing exists in the default configuration.
Recommendations
- AI detected serious security threats
Audit Metadata