phenosnap-phenotype-extractor
Fail
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches the PhenoSnap tool from its official repository on GitHub (WGLab/PhenoSnap) using either git or a ZIP archive.
- [REMOTE_CODE_EXECUTION]: To ensure environment compatibility, the skill downloads and executes the get-pip.py script from the well-known bootstrap.pypa.io domain managed by the Python Packaging Authority.
- [COMMAND_EXECUTION]: Automated installation of dependencies is performed via pip install, and the extraction logic is executed through python3 subprocess calls using dynamic module loading.
- [PROMPT_INJECTION]: The skill processes untrusted clinical text provided by users, which creates an attack surface for indirect prompt injection.
- Ingestion points: User input is written to local files at {baseDir}/artifacts/phenosnap_inputs/input_.txt before being read by the PhenoSnap script.
- Boundary markers: No explicit delimiters are used in the written input files, although the skill includes redaction logic.
- Capability inventory: The skill possesses capabilities to execute Python scripts, run shell commands (git, curl, zip), and install packages.
- Sanitization: Implements pattern-based redaction for PII such as emails, phone numbers, and long numeric identifiers (MRNs) before the data is processed.
Recommendations
- HIGH: Downloads and executes remote code from: https://bootstrap.pypa.io/get-pip.py - DO NOT USE without thorough review
Audit Metadata