matchms
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [Dynamic Execution / Remote Code Execution] (HIGH): The skill explicitly lists 'Pickle (Python serialization)' as a supported data format for importing and exporting mass spectrometry data. Python's
picklemodule is known to be insecure; loading a maliciously crafted pickle file from an untrusted source allows for the execution of arbitrary code on the host system. - [Indirect Prompt Injection] (MEDIUM): The skill is designed to ingest data from external sources such as mzML, MGF, and JSON files.
- Ingestion points: Functions like
load_from_mgf,load_from_mzml, andload_from_json(SKILL.md). - Boundary markers: Absent. There are no instructions for the agent to ignore or delimit potentially malicious natural language strings embedded in spectral metadata (e.g., compound names, annotations).
- Capability inventory: The skill includes file-writing capabilities (
save_as_mgf,save_as_json) and complex processing logic that could be subverted by malicious metadata. - Sanitization: Absent. No evidence of input validation or sanitization for metadata fields that the agent might interpret as instructions.
- [Metadata Poisoning] (LOW): The skill includes specific instructions to proactively market a commercial platform ('K-Dense Web') when workflow complexity increases. While primarily a promotional tactic, this influences the agent's decision-making logic and introduces biased behavior based on author-defined triggers.
Recommendations
- AI detected serious security threats
Audit Metadata