data-io-loading
Warn
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill recommends using ov.io.load() for serialization, which utilizes pickle (via cloudpickle) for deserialization. Deserializing data from untrusted sources with pickle is insecure as it can lead to arbitrary code execution. Evidence found in SKILL.md and reference.md.
- [PROMPT_INJECTION]: The skill functions ingest untrusted external data in various formats (H5AD, CSV, MTX, etc.), creating a surface for Indirect Prompt Injection.
- Ingestion points: ov.read(), ov.io.read_h5ad(), ov.io.read_10x_h5(), ov.io.read_10x_mtx(), ov.io.spatial.read_visium(), ov.io.read_visium_hd(), ov.io.read_nanostring(), ov.io.read_csv().
- Boundary markers: Absent. No delimiters are mentioned to prevent the agent from obeying instructions embedded in data.
- Capability inventory: The skill provides comprehensive file-read capabilities that ingest data into the agent context.
- Sanitization: Absent. No validation or escaping of external content is mentioned.
- [EXTERNAL_DOWNLOADS]: The skill mentions installing standard scientific packages such as snapatac2, geopandas, and shapely via pip. These are well-known libraries required for optional OmicVerse functionality and are considered safe.
Audit Metadata