datamol
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- DATA_EXFILTRATION (MEDIUM): The
references/io_module.mdandreferences/descriptors_viz.mdfiles describe functions likedm.save_df,dm.to_sdf, anddm.viz.to_imagewhich support anoutfileparameter. The documentation explicitly states that these functions support remote file paths throughfsspecintegration, covering protocols such as S3, GCS, Azure, and HTTP/HTTPS. This capability allows an agent to exfiltrate data from the local environment to an external endpoint. - EXTERNAL_DOWNLOADS (LOW): The library's I/O module (
references/io_module.md) provides functions likedm.read_sdf,dm.read_csv, anddm.open_dfthat can fetch and process molecular data from arbitrary remote URLs. This creates a vector for ingesting untrusted content into the agent's context. - PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection due to its extensive data ingestion surface.
- Ingestion points:
dm.read_sdf,dm.read_smi,dm.read_csv,dm.read_excel,dm.read_mol2file,dm.read_pdbfile, anddm.open_df(documented inreferences/io_module.md). - Boundary markers: Absent. The documentation does not suggest using delimiters or instructions to ignore embedded natural language commands within molecular data files.
- Capability inventory: The skill can perform network writes (via
fsspec), local file writes (dm.save_df), and complex visualizations (dm.viz.to_image). - Sanitization: While the library performs chemical sanitization (fixing valency, aromaticity), it does not provide sanitization for natural language instructions that may be embedded in metadata fields (e.g., SDF tags or CSV columns).
Audit Metadata