The Agent Skills Directory

COMMAND_EXECUTION (HIGH): The skill documentation explicitly states that it executes LLM-generated code with 'full system privileges'. This creates a significant risk where an attacker could use prompt injection to execute arbitrary commands, access sensitive files, or compromise the host environment.
REMOTE_CODE_EXECUTION (HIGH): The installation process involves cloning a repository and executing a shell script ('bash setup.sh') from a source ('snap-stanford' on GitHub) that is not included in the predefined list of trusted organizations.
CREDENTIALS_UNSAFE (MEDIUM): The skill requires and prompts users to provide multiple high-value API keys (Anthropic, OpenAI, Azure, Google, etc.) and suggests storing them in a '.env' file, which can be a target for exfiltration.
EXTERNAL_DOWNLOADS (MEDIUM): The framework automatically downloads approximately 11GB of biomedical data upon first use. While functionally necessary, downloading large datasets from remote sources without integrity verification poses a supply chain risk.
PROMPT_INJECTION (LOW): As a framework that processes natural language queries ('agent.go') to generate executable code, it has a large attack surface for both direct and indirect prompt injection.
DATA_EXPOSURE (LOW): The skill is designed to process and potentially save sensitive research data (CRISPR screens, GWAS variants) to the local filesystem, which could be exposed if the agent is compromised.

biomni