pubchem-query
Pass
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill facilitates legitimate scientific data retrieval from the official PubChem PUG REST API, providing tools for drug discovery and chemistry applications.
- [SAFE]: No malicious patterns, such as prompt injection, hardcoded credentials, or obfuscated commands, were detected in the instructions, reference materials, or example scripts.
- [EXTERNAL_DOWNLOADS]: The skill interacts with the PubChem API (pubchem.ncbi.nlm.nih.gov), which is a trusted and well-known scientific resource; this network activity is consistent with the skill's primary function.
- [SAFE]: File operations are restricted to saving structured chemical data in SDF format to a temporary directory (./tmp/), which is appropriate for its intended use case.
- [PROMPT_INJECTION]: The skill processes user-supplied strings such as chemical names and SMILES strings, representing an indirect prompt injection surface.
- Ingestion points: Input parameters for tool.run() in SKILL.md and example scripts accept strings that are passed to the PubChem API.
- Boundary markers: The provided instructions do not define explicit delimiters to separate user data from agent processing instructions.
- Capability inventory: The skill has filesystem write access to ./tmp/ and network access to the PubChem API.
- Sanitization: No explicit input sanitization or validation logic is defined within the skill files.
Audit Metadata