esm

This skill is a feature-rich, plausible SDK documentation for protein language models and appears operationally coherent: local model usage, cloud (Forge) client, and embedding APIs match the stated purpose. There are no signs of classic malware (no obfuscated code, no curl|bash download-and-execute instructions, no hardcoded secrets). However, there are meaningful supply-chain and data-exposure risks: it relies on remote model weight downloads (no integrity checks described), forwards user tokens and user-provided biological data to a third-party Forge endpoint, and enables programmatic large-scale generation of protein sequences — a significant dual-use (biosecurity) concern. The use of pip installations without pinning and the bit.ly short link are minor additional risks. Recommended mitigations: require/describe cryptographic verification of model weights, document Forge data retention and privacy policy, avoid URL shorteners, provide explicit guidance and guardrails for dual-use/biosecurity (human review, usage agreements, rate limits, abuse detection), and advise pinning package versions and hashes for reproducible installs.