matchms
Warn
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill implements and documents the use of
load_from_pickleandsave_as_pickleinSKILL.mdandreferences/importing_exporting.md. These functions utilize the Pythonpicklemodule for data deserialization. Sincepickleis inherently insecure and can execute arbitrary code during the loading process, using it with untrusted files represents a significant security risk. - [PROMPT_INJECTION]: The skill ingests spectral data and metadata from external formats such as MGF, MSP, and mzML as described in
references/importing_exporting.md. This creates a surface for indirect prompt injection where malicious instructions could be embedded in compound names or other metadata fields. 1. Ingestion points: Multiple file loading functions includingload_from_mgfandload_from_mzml. 2. Boundary markers: No specific delimiters are employed to separate metadata from processing logic. 3. Capability inventory: Includes file system write access throughsave_as_mgfandsave_as_pickle, as well as network access for metadata enrichment. 4. Sanitization: No security-focused sanitization is performed on ingested metadata before it is used by the agent. - [EXTERNAL_DOWNLOADS]: The
derive_annotation_from_compound_namefilter inreferences/filtering.mdretrieves chemical structure information from the PubChem service, which is a trusted external scientific database.
Audit Metadata