chempy
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (LOW): The skill instructs users to install 'chempy' from PyPI. Although PyPI is a standard repository, the package is not from the specified list of trusted organizations. Severity is lowered as this is the primary library for the skill.
- [COMMAND_EXECUTION] (LOW): The skill utilizes 'pyodesys' for runtime compilation of C++ or Fortran code to solve chemical equations faster. This is a common practice in scientific computing but constitutes dynamic execution.
- [PROMPT_INJECTION] (LOW): The skill processes chemical reaction strings through 'ReactionSystem.from_string()', creating a surface for indirect prompt injection. 1. Ingestion points: Chemical reaction and equilibrium strings in 'SKILL.md'. 2. Boundary markers: None present. 3. Capability inventory: Runtime code generation and compilation via 'pyodesys'. 4. Sanitization: None documented beyond standard chemical parsing.
Audit Metadata