mutation-design-aav

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The skill explicitly implements automated design of higher‑fitness AAV capsid mutants (a clear biological dual‑use/biosecurity risk) and downloads+loads remote model checkpoints using torch.load (untrusted pickle deserialization), creating a supply‑chain/remote code execution vector; no plaintext credential theft or hidden exfiltration is present, but the combination of enabling viral mutant optimization and executing remote model artifacts is high risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md workflow explicitly requires downloading initial AAV sequences and an oracle model/config from public cloud.tsinghua.edu.cn URLs (e.g., https://cloud.tsinghua.edu.cn/f/992109032d8049689a6d/?dl=1, https://cloud.tsinghua.edu.cn/f/80bbc575ec3f4e63a0af/?dl=1, https://cloud.tsinghua.edu.cn/f/09ea0869b74b4d2ca53e/?dl=1), which are untrusted third-party files that the agent must ingest and that directly determine scoring and mutation decisions, so they could inject instructions or otherwise materially influence behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill downloads runtime resources from https://cloud.tsinghua.edu.cn/f/992109032d8049689a6d/?dl=1 (initial sequences), https://cloud.tsinghua.edu.cn/f/80bbc575ec3f4e63a0af/?dl=1 (model checkpoint), and https://cloud.tsinghua.edu.cn/f/09ea0869b74b4d2ca53e/?dl=1 (configuration) which are fetched at runtime and then loaded/executed (torch.load, OmegaConf/BaseCNN) to score sequences and directly control the agent's mutation proposals.