single-cell-downstream-analysis
Fail
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires downloading external code and biological datasets from sources outside the trusted vendor list. Evidence: SKILL.md instructs the user to 'git clone https://github.com/CSB5/CaDRReS-Sc'. Additionally, reference.md contains calls to 'ov.utils.download_GDSC_data()' and 'ov.utils.download_CaDRReS_model()' for fetching model assets at runtime.
- [REMOTE_CODE_EXECUTION]: The skill executes external scripts provided by a downloaded third-party repository. Evidence: The 'ov.single.Drug_Response' function in reference.md uses the 'scriptpath' parameter pointing to the 'CaDRReS-Sc' directory, which refers to the externally cloned code. This involves running untrusted code within the agent's environment.
- [COMMAND_EXECUTION]: The skill utilizes shell commands to manage external resources. Evidence: Explicit instruction to use 'git clone' in the scDrug response prediction module.
- [PROMPT_INJECTION]: The skill possesses an attack surface for indirect prompt injection due to its processing of untrusted biological data.
- Ingestion points: The skill processes user-provided biological data objects (AnnData) and external pathway collections (GO, KEGG) as described in SKILL.md.
- Boundary markers: There are no delimiters or warnings present to prevent the agent from interpreting embedded data as instructions.
- Capability inventory: The skill has the capability to write files ('adata.write', 'ov.utils.save') and execute external scripts ('ov.single.Drug_Response') as shown in reference.md.
- Sanitization: No sanitization, validation, or escaping of external content is performed before it is processed by the analysis functions.
Recommendations
- AI detected serious security threats
Audit Metadata