arboreto
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill installs the 'arboreto' package from PyPI. This is a standard dependency for the skill's primary function, justifying a downgrade to LOW.
- COMMAND_EXECUTION (LOW): The script 'scripts/basic_grn_inference.py' performs file system operations (reading expression data and writing results) based on command-line arguments.
- REMOTE_CODE_EXECUTION (MEDIUM): The use of Dask for distributed computing involves object serialization (pickling) and network connections. While this presents a risk if connecting to untrusted schedulers, it is a core feature for large-scale analysis and is downgraded to LOW.
- PROMPT_INJECTION (LOW): The skill exhibits a surface for indirect prompt injection (Category 8). Ingestion points: 'scripts/basic_grn_inference.py' via 'pd.read_csv'. Boundary markers: Absent. Capability inventory: File system access and console output via 'print()'. Sanitization: Absent.
Audit Metadata