rowan
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill provides documentation that describes an attack surface for indirect prompt injection. An AI agent using these tools ingests untrusted scientific data which could contain hidden natural language instructions in metadata or comment fields.
- Ingestion points: Data enters the agent context through functions such as rowan.create_protein_from_pdb_id (which fetches from RCSB PDB) and rowan.upload_protein (which reads local files).
- Capability inventory: The agent is granted high-privilege capabilities including writing to the local file system (protein.download_pdb_file, to_xyz) and triggering remote side effects via rowan.submit_pka_workflow.
- Sanitization: There is no documented mechanism for filtering or sanitizing natural language instructions within the processed molecular data streams.
- Boundary markers: No delimiters or explicit boundary instructions are suggested for isolating untrusted data.
- EXTERNAL_DOWNLOADS (LOW): The library facilitates the retrieval of protein structure data from rcsb.org. While this is a recognized scientific source, it constitutes a network operation to a non-whitelisted domain.
- COMMAND_EXECUTION (LOW): The library enables file system read and write operations that, while necessary for the skill's functionality, represent a sensitive capability that can be misused if the agent is compromised by malicious input.
Recommendations
- AI detected serious security threats
Audit Metadata