The Agent Skills Directory

PROMPT_INJECTION (HIGH): The skill documentation reveals a high-risk Indirect Prompt Injection surface (Category 8). \n
Ingestion points: dm.read_sdf, dm.read_csv, dm.read_smi, and dm.open_df (references/io_module.md) allow loading molecular data from potentially untrusted files or remote URLs. \n
Boundary markers: Absent. There is no documentation for delimiters or instructions to ignore embedded instructions in data. \n
Capability inventory: The skill includes powerful file-write functions (dm.to_sdf, dm.save_df, dm.to_xlsx) and the ability to spawn subprocesses via n_jobs. \n
Sanitization: Not present. Mentioned 'sanitization' functions relate to chemical structure integrity, not security filtering of embedded text. \n- DATA_EXFILTRATION (MEDIUM): The datamol.io module supports writing to remote storage protocols (S3, GCS, Azure, HTTP/HTTPS) as documented in references/io_module.md. This capability can be leveraged to exfiltrate data by directing outputs to attacker-controlled endpoints. \n- EXTERNAL_DOWNLOADS (MEDIUM): The I/O module explicitly supports reading molecular data from remote URLs and cloud storage, facilitating the consumption of potentially malicious external content. \n- REMOTE_CODE_EXECUTION (MEDIUM): The ingestion and parsing of remote molecular files could exploit vulnerabilities in complex C++ parsers (RDKit) or data processing libraries to achieve code execution. \n- COMMAND_EXECUTION (MEDIUM): The widespread use of the n_jobs parameter for parallelization in the descriptors and I/O modules indicates the spawning of subprocesses. \n- DYNAMIC_EXECUTION (MEDIUM): The dm.descriptors.any_rdkit_descriptor(name) function (references/descriptors_viz.md) enables dynamic loading and execution of RDKit functions based on string input, which is a risk if the function name is derived from untrusted sources.

datamol