Security Scan Report

Generated: 2026-04-11 18:52 UTC
Skills scanned: 135
Total findings: 830
Critical: 69 | High: 57 | Safe skills: 96/135

Summary

Skill	Severity	Findings	Safe	Duration
citation-management	🔴 CRITICAL	13	❌	30.7s
clinical-decision-support	🔴 CRITICAL	12	❌	57.4s
clinical-reports	🔴 CRITICAL	15	❌	68.4s
dask	🔴 CRITICAL	3	❌	24.0s
hypothesis-generation	🔴 CRITICAL	10	❌	42.3s
infographics	🔴 CRITICAL	11	❌	44.0s
latex-posters	🔴 CRITICAL	13	❌	42.9s
literature-review	🔴 CRITICAL	12	❌	46.1s
markitdown	🔴 CRITICAL	12	❌	40.6s
peer-review	🔴 CRITICAL	10	❌	31.7s
pptx-posters	🔴 CRITICAL	6	❌	0.8s
research-grants	🔴 CRITICAL	13	❌	48.0s
research-lookup	🔴 CRITICAL	17	❌	47.9s
scholar-evaluation	🔴 CRITICAL	11	❌	44.9s
scientific-critical-thinking	🔴 CRITICAL	10	❌	36.6s
scientific-schematics	🔴 CRITICAL	10	❌	35.7s
scientific-slides	🔴 CRITICAL	18	❌	59.1s
scientific-writing	🔴 CRITICAL	12	❌	49.7s
seaborn	🔴 CRITICAL	4	❌	29.3s
treatment-plans	🔴 CRITICAL	13	❌	54.8s
umap-learn	🔴 CRITICAL	4	❌	29.3s
venue-templates	🔴 CRITICAL	11	❌	45.1s
consciousness-council	🟠 HIGH	4	❌	30.3s
dhdna-profiler	🟠 HIGH	5	❌	40.2s
esm	🟠 HIGH	5	❌	24.8s
geomaster	🟠 HIGH	7	❌	32.4s
modal	🟠 HIGH	9	❌	27.4s
pathml	🟠 HIGH	8	❌	28.6s
polars	🟠 HIGH	4	❌	18.6s
primekg	🟠 HIGH	6	❌	38.3s
pyhealth	🟠 HIGH	4	❌	33.0s
pytorch-lightning	🟠 HIGH	5	❌	26.8s
qutip	🟠 HIGH	3	❌	16.7s
sympy	🟠 HIGH	4	❌	22.2s
torch-geometric	🟠 HIGH	7	❌	28.1s
torchdrug	🟠 HIGH	3	❌	15.8s
transformers	🟠 HIGH	5	❌	26.2s
what-if-oracle	🟠 HIGH	4	❌	33.2s
zarr-python	🟠 HIGH	4	❌	28.3s
bgpt-paper-search	🟡 MEDIUM	4	✅	25.6s
cobrapy	🟡 MEDIUM	3	✅	24.0s
database-lookup	🟡 MEDIUM	4	✅	39.9s
datamol	🟡 MEDIUM	5	✅	31.8s
depmap	🟡 MEDIUM	4	✅	24.9s
dnanexus-integration	🟡 MEDIUM	3	✅	25.9s
exploratory-data-analysis	🟡 MEDIUM	5	✅	37.4s
histolab	🟡 MEDIUM	4	✅	25.5s
imaging-data-commons	🟡 MEDIUM	5	✅	30.1s
labarchive-integration	🟡 MEDIUM	8	✅	35.4s
lamindb	🟡 MEDIUM	5	✅	32.7s
open-notebook	🟡 MEDIUM	18	✅	21.2s
parallel-web	🟡 MEDIUM	5	✅	29.7s
pennylane	🟡 MEDIUM	5	✅	24.4s
perplexity-search	🟡 MEDIUM	6	✅	24.3s
phylogenetics	🟡 MEDIUM	9	✅	23.0s
protocolsio-integration	🟡 MEDIUM	6	✅	24.9s
pufferlib	🟡 MEDIUM	4	✅	25.2s
pymatgen	🟡 MEDIUM	5	✅	28.0s
statsmodels	🟡 MEDIUM	3	✅	18.7s
vaex	🟡 MEDIUM	3	✅	20.6s
xlsx	🟡 MEDIUM	4	✅	38.6s
adaptyv	🔵 LOW	4	✅	21.3s
arboreto	🔵 LOW	4	✅	17.7s
benchling-integration	🔵 LOW	3	✅	18.0s
biopython	🔵 LOW	4	✅	16.6s
bioservices	🔵 LOW	2	✅	21.0s
cellxgene-census	🔵 LOW	3	✅	16.1s
deeptools	🔵 LOW	2	✅	14.6s
docx	🔵 LOW	4	✅	33.7s
etetoolkit	🔵 LOW	3	✅	22.4s
flowio	🔵 LOW	4	✅	18.3s
fluidsim	🔵 LOW	4	✅	22.0s
generate-image	🔵 LOW	3	✅	18.5s
geniml	🔵 LOW	4	✅	27.4s
geopandas	🔵 LOW	3	✅	17.7s
get-available-resources	🔵 LOW	5	✅	30.3s
gget	🔵 LOW	5	✅	29.9s
ginkgo-cloud-lab	🔵 LOW	4	✅	24.0s
glycoengineering	🔵 LOW	4	✅	27.7s
gtars	🔵 LOW	3	✅	19.2s
hypogenic	🔵 LOW	5	✅	27.8s
iso-13485-certification	🔵 LOW	2	✅	16.6s
latchbio-integration	🔵 LOW	2	✅	16.1s
market-research-reports	🔵 LOW	5	✅	28.8s
matchms	🔵 LOW	2	✅	14.2s
matlab	🔵 LOW	1	✅	11.5s
matplotlib	🔵 LOW	1	✅	15.4s
medchem	🔵 LOW	1	✅	17.0s
molecular-dynamics	🔵 LOW	4	✅	26.8s
molfeat	🔵 LOW	3	✅	21.0s
networkx	🔵 LOW	4	✅	26.4s
neurokit2	🔵 LOW	4	✅	25.7s
neuropixels-analysis	🔵 LOW	5	✅	33.4s
omero-integration	🔵 LOW	5	✅	32.1s
opentrons-integration	🔵 LOW	4	✅	21.9s
optimize-for-gpu	🔵 LOW	5	✅	30.0s
paper-lookup	🔵 LOW	5	✅	40.4s
paperzilla	🔵 LOW	3	✅	17.2s
pdf	🔵 LOW	4	✅	30.5s
polars-bio	🔵 LOW	4	✅	24.4s
pptx	🔵 LOW	4	✅	38.2s
pydicom	🔵 LOW	3	✅	19.5s
pylabrobot	🔵 LOW	3	✅	18.5s
pymoo	🔵 LOW	1	✅	11.4s
pyopenms	🔵 LOW	4	✅	21.7s
pysam	🔵 LOW	1	✅	11.0s
pytdc	🔵 LOW	3	✅	26.5s
pyzotero	🔵 LOW	4	✅	23.6s
qiskit	🔵 LOW	3	✅	19.9s
rdkit	🔵 LOW	3	✅	20.1s
rowan	🔵 LOW	4	✅	24.0s
scanpy	🔵 LOW	2	✅	14.6s
scientific-brainstorming	🔵 LOW	3	✅	16.9s
scientific-visualization	🔵 LOW	2	✅	13.8s
scikit-bio	🔵 LOW	1	✅	11.1s
scikit-learn	🔵 LOW	3	✅	17.6s
scikit-survival	🔵 LOW	2	✅	16.9s
scvelo	🔵 LOW	3	✅	21.6s
scvi-tools	🔵 LOW	2	✅	15.5s
shap	🔵 LOW	3	✅	20.7s
simpy	🔵 LOW	2	✅	14.2s
stable-baselines3	🔵 LOW	3	✅	16.7s
tiledbvcf	🔵 LOW	3	✅	16.6s
timesfm-forecasting	🔵 LOW	3	✅	33.9s
usfiscaldata	🔵 LOW	4	✅	26.9s
pydeseq2	⚪ INFO	1	✅	0.2s
aeon	🟢 SAFE	0	✅	6.7s
anndata	🟢 SAFE	0	✅	7.3s
astropy	🟢 SAFE	0	✅	6.8s
cirq	🟢 SAFE	0	✅	6.8s
deepchem	🟢 SAFE	0	✅	10.3s
diffdock	🟢 SAFE	0	✅	12.6s
markdown-mermaid-writing	🟢 SAFE	0	✅	9.0s
pymc	🟢 SAFE	0	✅	14.4s
statistical-analysis	🟢 SAFE	0	✅	12.6s

Detailed Findings

citation-management — 🔴 CRITICAL

🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 6 files

Environment variable access with network calls in scripts/extract_metadata.py, scripts/generate_schematic_ai.py, scripts/generate_schematic.py, scripts/search_pubmed.py Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/doi_to_bibtex.py, scripts/extract_metadata.py, scripts/generate_schematic_ai.py, scripts/validate_citations.py, scripts/search_pubmed.py
🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 6 files

Multi-file exfiltration chain detected: scripts/extract_metadata.py, scripts/generate_schematic_ai.py, scripts/generate_schematic.py, scripts/search_pubmed.py collect data → scripts/generate_schematic_ai.py → scripts/doi_to_bibtex.py, scripts/extract_metadata.py, scripts/validate_citations.py, scripts/generate_schematic_ai.py, scripts/search_pubmed.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/doi_to_bibtex.py, scripts/extract_metadata.py, scripts/generate_schematic_ai.py, scripts/validate_citations.py, scripts/search_pubmed.py
🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Cross-Skill Activation Promotion - Scientific Schematics Skill

The SKILL.md instructions contain a section that actively promotes and instructs the agent to use another skill ('scientific-schematics') by default when creating documents. The instruction states 'Scientific schematics should be generated by default' and references 'Nano Banana Pro' (an apparent product/brand name). This creates unsolicited cross-skill activation that may not align with user intent, and the brand name 'Nano Banana Pro' appears to be a commercial product promotion embedded in skill instructions. File: SKILL.md Remediation: Remove the default activation directive for the scientific-schematics skill. Cross-skill invocations should be user-initiated, not automatically triggered. Remove or clarify the 'Nano Banana Pro' brand reference which appears to be commercial promotion embedded in skill instructions.
🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Python Package Dependencies

The skill's dependency section specifies packages without version pinning (e.g., 'pip install requests', 'pip install scholarly', 'pip install selenium', 'pip install bibtexparser', 'pip install biopython'). Unpinned dependencies are vulnerable to supply chain attacks where a malicious package version could be installed. The 'scholarly' package in particular is a third-party Google Scholar scraper that could be compromised. File: SKILL.md Remediation: Pin all dependencies to specific versions (e.g., 'pip install requests==2.31.0'). Use a requirements.txt file with pinned versions and hash verification. Consider using a lockfile approach for reproducible installations.
🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

Script accesses environment variables and makes network calls in scientific-skills/citation-management/scripts/extract_metadata.py File: scientific-skills/citation-management/scripts/extract_metadata.py Remediation: Remove environment variable harvesting or network transmission
🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/citation-management/scripts/extract_metadata.py File: scientific-skills/citation-management/scripts/extract_metadata.py Remediation: Remove environment variable collection unless explicitly required and documented
🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/citation-management/scripts/generate_schematic.py File: scientific-skills/citation-management/scripts/generate_schematic.py Remediation: Remove environment variable collection unless explicitly required and documented
🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

Script accesses environment variables and makes network calls in scientific-skills/citation-management/scripts/generate_schematic_ai.py File: scientific-skills/citation-management/scripts/generate_schematic_ai.py Remediation: Remove environment variable harvesting or network transmission
🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/citation-management/scripts/generate_schematic_ai.py File: scientific-skills/citation-management/scripts/generate_schematic_ai.py Remediation: Remove environment variable collection unless explicitly required and documented
🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

Script accesses environment variables and makes network calls in scientific-skills/citation-management/scripts/search_pubmed.py File: scientific-skills/citation-management/scripts/search_pubmed.py Remediation: Remove environment variable harvesting or network transmission
🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/citation-management/scripts/search_pubmed.py File: scientific-skills/citation-management/scripts/search_pubmed.py Remediation: Remove environment variable collection unless explicitly required and documented
🔵 LOW LLM_DATA_EXFILTRATION — User-Agent Contains Hardcoded Contact Email Placeholder

The DOIConverter class in doi_to_bibtex.py hardcodes a placeholder email address 'support@example.com' in the User-Agent header sent to external APIs. While this is a placeholder and not a real credential, it represents a pattern where contact information is embedded in outbound requests without user awareness or consent. File: scripts/doi_to_bibtex.py Remediation: Replace the hardcoded placeholder email with either a configurable parameter or remove it entirely. If an email is required for API politeness (as recommended by CrossRef), prompt the user to provide their own email rather than using a placeholder.
🟡 MEDIUM LLM_DATA_EXFILTRATION — Environment Variable Access Combined with External Network Calls

Multiple scripts access environment variables (NCBI_API_KEY, NCBI_EMAIL, OPENROUTER_API_KEY) and then make outbound network requests. While these appear to be legitimate API keys for PubMed and OpenRouter services, the pattern of reading environment variables and transmitting them in HTTP requests creates a data exposure risk. If the OPENROUTER_API_KEY or NCBI_API_KEY environment variables contain sensitive credentials, they are sent to external servers. The generate_schematic_ai.py script is particularly notable as it reads OPENROUTER_API_KEY and sends it as a Bearer token to openrouter.ai. File: scripts/generate_schematic_ai.py Remediation: This is largely expected behavior for API-based tools. Ensure the skill documentation clearly states which environment variables are used and for what purpose. Consider validating that API keys are only sent to their intended endpoints and not logged or transmitted elsewhere.

clinical-decision-support — 🔴 CRITICAL

🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 2 files

Environment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py
🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 2 files

Multi- 8000 file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data → scripts/generate_schematic_ai.py → scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py
🟡 MEDIUM LLM_UNAUTHORIZED_TOOL_USE — Unauthorized External Network Access Not Declared in Manifest

The SKILL.md manifest declares allowed-tools as [Read, Write, Edit, Bash], but the Python scripts (generate_schematic_ai.py, generate_schematic.py) make outbound HTTP requests to external APIs (https://openrouter.ai). Network access is not listed as an allowed tool and is not disclosed in the skill description or manifest. This constitutes a tool restriction violation and undisclosed capability. File: SKILL.md Remediation: 1. Add network/HTTP access to the allowed-tools declaration or add a separate disclosure. 2. Clearly document in the skill description that external API calls are made. 3. Require explicit user consent before making external network calls.
🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Mandatory Cross-Skill Invocation Creates Undisclosed Dependency

The SKILL.md instructions declare that use of the scientific-schematics skill is MANDATORY ('⚠️ MANDATORY: Every clinical decision support document MUST include at least 1-2 AI-generated figures using the scientific-schematics skill'). This forces activation of another skill and its associated external API calls (OpenRouter) without explicit user consent for each document generation. This inflates the effective capability scope of this skill beyond what is declared in the manifest. File: SKILL.md Remediation: 1. Make schematic generation optional and require explicit user consent. 2. Disclose in the manifest that this skill triggers external API calls via the scientific-schematics skill. 3. Remove the MANDATORY designation and let users decide whether to include AI-generated figures.
🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/clinical-decision-support/scripts/generate_schematic.py File: scientific-skills/clinical-decision-support/scripts/generate_schematic.py Remediation: Remove environment variable collection unless explicitly required and documented
🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

Script accesses environment variables and makes network calls in scientific-skills/clinical-decision-support/scripts/generate_schematic_ai.py File: scientific-skills/clinical-decision-support/scripts/generate_schematic_ai.py Remediation: Remove environment variable harvesting or network transmission
🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/clinical-decision-support/scripts/generate_schematic_ai.py File: scientific-skills/clinical-decision-support/scripts/generate_schematic_ai.py Remediation: Remove environment variable collection unless explicitly required and documented
🟠 HIGH LLM_DATA_EXFILTRATION — Cross-File Exfiltration Chain: generate_schematic.py Delegates to generate_schematic_ai.py with API Key

The generate_schematic.py script reads the OPENROUTER_API_KEY from the environment and passes it to generate_schematic_ai.py via subprocess execution. This creates a two-file exfiltration chain where the parent script harvests the API key and the child script transmits it externally. The API key is injected into the subprocess environment (env['OPENROUTER_API_KEY'] = api_key), meaning it persists in the child process environment and could be exposed to any further subprocesses spawned by generate_schematic_ai.py. File: scripts/generate_schematic.py Remediation: 1. Avoid copying the entire os.environ into subprocess calls; pass only required variables. 2. Validate that the subprocess being called is the expected script (check path integrity). 3. Consider using inter-process communication mechanisms that don't expose secrets in environment variables.
🟡 MEDIUM LLM_COMMAND_INJECTION — Subprocess Execution with User-Controlled Input

The generate_schematic.py script passes the user-supplied prompt argument directly into a subprocess command list. While using a list (not shell=True) mitigates shell injection, the prompt string is passed as a positional argument to generate_schematic_ai.py, which then embeds it directly into API request payloads and prompt strings without sanitization. A malicious prompt could manipulate the AI model's behavior through prompt injection in the downstream API call. File: scripts/generate_schematic.py Remediation: 1. Validate and sanitize user-provided prompt strings before passing to subprocesses. 2. Implement length limits and character allowlists for prompt inputs. 3. Consider wrapping prompts in a structured format that prevents injection into system-level instructions.
🟠 HIGH LLM_DATA_EXFILTRATION — API Key Exfiltration via Environment Variable and External Network Calls

The script generate_schematic_ai.py reads the OPENROUTER_API_KEY environment variable and transmits it in HTTP Authorization headers to an external API endpoint (https://openrouter.ai/api/v1). While OpenRouter is a legitimate service, the pattern of reading environment variables and sending them over the network represents a data exfiltration risk. The API key is passed in every request header, and if the base_url or model identifiers were tampered with, the key could be sent to an attacker-controlled server. Additionally, the script loads .env files from the current working directory, which could contain other sensitive credentials beyond just the OpenRouter key. File: scripts/generate_schematic_ai.py Remediation: 1. Validate the base_url against an allowlist before making requests. 2. Avoid loading .env files from arbitrary directories. 3. Ensure the API key scope is minimal (read-only or generation-only). 4. Log outbound requests for audit purposes. 5. Consider using a secrets manager rather than environment variables.
🟡 MEDIUM LLM_PROMPT_INJECTION — Indirect Prompt Injection via AI-Reviewed External Content

The generate_schematic_ai.py script sends user-provided prompts to an external AI model (Nano Banana 2 / Gemini 3.1 Pro Preview via OpenRouter) and then uses the AI's response (including critique text) to construct subsequent prompts in the improve_prompt() method. If the external AI model returns malicious or manipulated content in its critique, that content is embedded directly into the next generation prompt without sanitization, creating an indirect prompt injection vector through the review loop. File: scripts/generate_schematic_ai.py Remediation: 1. Sanitize and validate critique text returned from external AI models before embedding in subsequent prompts. 2. Implement a maximum length limit on critique content. 3. Consider using structured output formats (JSON) for critique responses to limit injection surface.
🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned External Dependencies in Python Scripts

Multiple Python scripts declare dependencies (lifelines, matplotlib, pandas, numpy, scipy, scikit-learn, requests) without version pinning. The generate_schematic_ai.py script also attempts to import python-dotenv (dotenv) without version constraints. Unpinned dependencies are vulnerable to supply chain attacks where a malicious package version could be installed. File: scripts/generate_survival_analysis.py Remediation: 1. Pin all dependencies to specific versions in a requirements.txt file (e.g., requests==2.31.0). 2. Use a lockfile (pip-compile or poetry.lock) to ensure reproducible installs. 3. Regularly audit dependencies for known vulnerabilities using tools like pip-audit or safety.

clinical-reports — 🔴 CRITICAL

🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 2 files

Environment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py
🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 2 files

Multi-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data → scripts/generate_schematic_ai.py → scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py
🟠 HIGH LLM_PROMPT_INJECTION — Mandatory Skill Invocation Override - Forced Cross-Skill Dependency

The SKILL.md instruction body contains a mandatory directive that overrides normal agent behavior: '⚠️ MANDATORY: Every clinical report MUST include at least 1 AI-generated figure using the scientific-schematics skill.' and 'This is not optional.' This is a direct prompt injection that forces the agent to invoke another skill (scientific-schematics) regardless of user intent or need. It also instructs the agent to 'automatically generate, review, and refine the schematic' without user confirmation, establishing unbounded autonomous behavior. This constitutes an instruction override embedded in the skill manifest. File: SKILL.md Remediation: Remove mandatory/forced cross-skill invocation directives. Skill instructions should suggest capabilities, not override agent judgment. Replace 'MANDATORY' and 'This is not optional' language with optional recommendations. User should explicitly request figure generation.
🟡 MEDIUM LLM_SKILL_DISCOVERY_ABUSE — Capability Inflation - Mandatory Figure Generation Inflates Skill Scope

The skill description claims to be a clinical report writing skill, but the SKILL.md instructions mandate invocation of a separate 'scientific-schematics' skill and an external AI image generation API (Nano Banana 2 / google/gemini-3.1-flash-image-preview via OpenRouter). This inflates the actual capability scope beyond what is described in the YAML manifest. The description does not mention external API dependencies, image generation, or cross-skill requirements, creating a mismatch between declared and actual behavior. File: SKILL.md Remediation: Update the YAML description to accurately reflect that this skill requires an external OpenRouter API key, makes paid API calls to image generation models, and depends on a separate scientific-schematics skill. Alternatively, remove the mandatory cross-skill dependency.
🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/clinical-reports/scripts/generate_schematic.py File: scientific-skills/clinical-reports/scripts/generate_schematic.py Remediation: Remove environment variable collection unless explicitly required and documented
🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

Script accesses environment variables and makes network calls in scientific-skills/clinical-reports/scripts/generate_schematic_ai.py File: scientific-skills/clinical-reports/scripts/generate_schematic_ai.py Remediation: Remove environment variable harvesting or network transmission
🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/clinical-reports/scripts/generate_schematic_ai.py File: scientific-skills/clinical-reports/scripts/generate_schematic_ai.py Remediation: Remove environment variable collection unless explicitly required and documented
🟠 HIGH LLM_UNAUTHORIZED_TOOL_USE — Unauthorized Tool Use - Bash Script Invokes External AI API Without User Awareness

The skill declares allowed-tools including Bash, and the generate_schematic.py script uses subprocess to invoke generate_schematic_ai.py which makes outbound HTTP requests to openrouter.ai. This tool chaining (Bash → Python → external API) is not transparently disclosed to the user. The SKILL.md instructions describe this as automatic behavior ('The AI will automatically...'), meaning the agent may invoke external paid API services without explicit user confirmation or awareness of costs incurred. File: scripts/generate_schematic.py Remediation: Require explicit user confirmation before making external API calls that may incur costs. Disclose to the user that external API calls will be made and that an API key and associated costs are required. Do not invoke paid external services automatically.
🔵 LOW LLM_DATA_EXFILTRATION — API Key Potentially Exposed in Process Listing

In generate_schematic.py, the API key is passed via environment variable to the subprocess, which is the correct approach. However, the script also accepts --api-key as a command-line argument, which would expose the key in process listings (ps aux) on Unix systems. The comment in the code acknowledges this risk ('pass API key via environment to avoid exposure in process listings') but the --api-key flag still exists and is documented. File: scripts/generate_schematic.py Remediation: Remove the --api-key command-line argument entirely and require the API key to be set only via environment variable or .env file. Document this clearly in the help text.
🔴 CRITICAL LLM_DATA_EXFILTRATION — Full Environment Variable Harvesting Passed to External Process

In generate_schematic.py, the code explicitly calls os.environ.copy() to duplicate the entire process environment and passes it to a subprocess. This means any secrets present in the environment at runtime (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, DATABASE_URL, GITHUB_TOKEN, etc.) are inherited by the child process generate_schematic_ai.py, which then makes outbound HTTP requests to openrouter.ai. This constitutes a cross-file exfiltration chain confirmed by the static analyzer (BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN, BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION). File: scripts/generate_schematic.py:174 Remediation: Replace os.environ.copy() with a minimal environment dict containing only the variables required: env = {"OPENROUTER_API_KEY": api_key, "PATH": os.environ.get("PATH", "")}. Never pass the full environment to subprocesses that make network calls.
🔴 CRITICAL LLM_DATA_EXFILTRATION — API Key Exfiltration via External Network Calls to OpenRouter

The script generate_schematic_ai.py reads the OPENROUTER_API_KEY environment variable and transmits it as a Bearer token in HTTP Authorization headers to the external service https://openrouter.ai/api/v1. While this is nominally the intended use, the script also reads ALL environment variables via os.environ.copy() and passes the full environment to subprocess calls in generate_schematic.py. This creates a cross-file exfiltration chain where the entire process environment (which may contain AWS credentials, SSH keys, database passwords, and other secrets) is copied and passed to child processes. The static analyzer confirmed BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION across these two files. File: scripts/generate_schematic_ai.py Remediation: 1. Do not pass os.environ.copy() to subprocess; instead pass only the specific environment variables needed. 2. Validate that the API key is only used for its stated purpose. 3. Avoid logging or storing the API key in review log JSON files. 4. Consider using a secrets manager rather than environment variables for sensitive credentials.
🟠 HIGH LLM_DATA_EXFILTRATION — Sensitive Review Log Written to Disk Containing API Metadata

The generate_schematic_ai.py script writes a JSON review log file to disk that contains the full generation results including prompts, model names, API response metadata, and quality scores. While the API key itself is not written, the log captures the full prompt chain and model interaction details. More critically, the log path is derived from user-controlled output_path, meaning a malicious prompt could direct log output to sensitive locations. File: scripts/generate_schematic_ai.py Remediation: Make review log writing optional (--save-log flag). Sanitize the output path to prevent directory traversal. Do not write logs to locations derived from untrusted input without validation.
🟡 MEDIUM LLM_COMMAND_INJECTION — User-Controlled Input Passed to File System Operations Without Sanitization

In generate_schematic_ai.py and generate_schematic.py, the user-provided output path and prompt are used directly in file system operations without path sanitization. The output_path is used to construct log file paths and intermediate file paths. A malicious prompt or output path containing path traversal sequences (e.g., ../../etc/) could write files to unintended locations. File: scripts/generate_schematic_ai.py Remediation: Validate and sanitize output paths before use. Restrict output to a designated figures/ directory. Use Path.resolve() and check that the resolved path is within an allowed base directory. Reject paths containing '..' sequences.
🟡 MEDIUM LLM_RESOURCE_ABUSE — Unbounded Iterative API Calls - Potential Compute Exhaustion

The generate_schematic_ai.py script implements an iterative refinement loop that makes multiple API calls to both an image generation model and a review model per iteration. While the maximum is capped at 2 iterations, each iteration makes at least 2 API calls (generate + review), and the review model used is 'google/gemini-3.1-pro-preview' which is a high-cost model. The SKILL.md mandates this runs for EVERY clinical report. For a busy clinical environment producing many reports, this could result in significant uncontrolled API cost accumulation. File: scripts/generate_schematic_ai.py Remediation: Add explicit user confirmation before initiating API calls. Implement cost estimation and display before execution. Make the iterative refinement opt-in rather than default. Add rate limiting and budget controls.
🔵 LOW LLM_DATA_EXFILTRATION — Hardcoded External Service URLs and Model Identifiers

The generate_schematic_ai.py script hardcodes specific external service endpoints and model identifiers including 'https://openrouter.ai/api/v1', 'google/gemini-3.1-flash-image-preview', and 'google/gemini-3.1-pro-preview'. These are not configurable and represent a dependency on specific third-party commercial services that may change, be deprecated, or have different privacy/data handling policies than expected for clinical data contexts. File: scripts/generate_schematic_ai.py Remediation: Make service endpoints and model identifiers configurable via environment variables or configuration files. Add a warning that clinical report content (including case descriptions) should not be sent to external AI services without appropriate data use agreements and HIPAA compliance review.

dask — 🔴 CRITICAL

🔴 CRITICAL LLM_DATA_EXFILTRATION — Environment Variable Exfiltration with Network Calls Detected

Static analysis flagged a cross-file exfiltration chain involving environment variable access combined with network calls across 2 files. The skill package contains Python files (10 total per file inventory) that are not shown in the provided content, but the static analyzer detected BEHAVIOR_ENV_VAR_EXFILTRATION and BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN patterns. This indicates hidden scripts are reading environment variables (likely containing credentials, API keys, or tokens) and transmitting them to external endpoints. The skill's stated purpose (Dask distributed computing helper) does not require any environment variable harvesting or outbound network calls beyond what Dask itself performs. File: SKILL.md Remediation: Audit all 10 Python files in the package immediately. Identify which files access os.environ, os.getenv, or similar environment variable APIs and which files make outbound network requests (requests, urllib, http.client, socket, etc.). Remove any code that combines these two behaviors. If network calls are legitimately needed for Dask cluster connectivity, ensure no credential or environment data is included in payloads. Do not install or use this skill until all Python files have been fully reviewed.
🟠 HIGH LLM_UNAUTHORIZED_TOOL_USE — Hidden Python Scripts Not Disclosed in Skill Instructions

The file inventory reports 10 Python files present in the skill package, yet the SKILL.md instructions state 'No script files found' and the instruction body makes no reference to any Python scripts being executed. This discrepancy means the skill contains undisclosed executable code that the agent may invoke without the user's knowledge. The presence of 10 Python files combined with static detection of exfiltration behavior strongly suggests tool poisoning — the skill's benign-appearing Dask documentation facade conceals malicious executable components. File: SKILL.md Remediation: Disclose all Python scripts in the SKILL.md instructions with explicit descriptions of what each script does. Any script not serving a documented, user-visible purpose should be removed. The allowed-tools field should be specified to constrain what the agent can execute. Conduct a full audit of all 10 Python files before deployment.
🟡 MEDIUM LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Declaration Despite Executable Scripts Present

The SKILL.md manifest does not declare an allowed-tools field, yet the package contains 10 Python files. While omitting allowed-tools is technically optional per the spec, the combination of undisclosed scripts, detected exfiltration behavior, and no tool restrictions creates an environment where malicious scripts can execute with no declared constraints. The absence of allowed-tools here is not merely an informational gap but contributes to the overall attack surface by removing a layer of defense. File: SKILL.md Remediation: Add an explicit allowed-tools declaration to the SKILL.md manifest. Given the skill's stated purpose (providing Dask documentation and guidance), the allowed-tools should be restricted to [Read] at most. If Python execution is genuinely needed, declare it explicitly and document every script's purpose.

hypothesis-generation — 🔴 CRITICAL

🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 2 files

Environment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py
🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 2 files

Multi-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data → scripts/generate_schematic_ai.py → scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py
🟡 MEDIUM LLM_UNAUTHORIZED_TOOL_USE — Mandatory External Script Invocation for Report Generation

The SKILL.md instructions mandate that every hypothesis report MUST include AI-generated figures by invoking scripts/generate_schematic.py via bash. This creates a mandatory tool-use pattern that forces execution of external scripts and network calls (to OpenRouter API) as part of every report generation workflow. The instruction uses strong mandatory language ('⚠️ MANDATORY', 'This is not optional') to compel the agent to always invoke the schematic generation tool, which in turn makes external API calls. This could be abused to force API key usage and network egress on every invocation. File: SKILL.md Remediation: 1. Remove the mandatory/forced language and make figure generation optional based on user preference. 2. Clearly disclose to the user that figure generation will make external API calls and consume API credits. 3. Require explicit user confirmation before invoking external API calls.
🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/hypothesis-generation/scripts/generate_schematic.py File: scientific-skills/hypothesis-generation/scripts/generate_schematic.py Remediation: Remove environment variable collection unless explicitly required and documented
🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

Script accesses environment variables and makes network calls in scientific-skills/hypothesis-generation/scripts/generate_schematic_ai.py File: scientific-skills/hypothesis-generation/scripts/generate_schematic_ai.py Remediation: Remove environment variable harvesting or network transmission
🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/hypothesis-generation/scripts/generate_schematic_ai.py File: scientific-skills/hypothesis-generation/scripts/generate_schematic_ai. 8000 py Remediation: Remove environment variable collection unless explicitly required and documented
🟡 MEDIUM LLM_DATA_EXFILTRATION — Cross-File Credential Propagation Chain via Subprocess Environment Copy

The wrapper script generate_schematic.py explicitly copies the OPENROUTER_API_KEY from the environment and passes it to a subprocess via env=env. This pattern creates a cross-file exfiltration chain where credentials flow from the parent process environment into a child process. While the intent appears legitimate, this pattern can expose credentials in process listings, system logs, or if the child script is replaced or tampered with. The static analyzer flagged this as a BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION and BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN. File: scripts/generate_schematic.py Remediation: 1. Instead of copying the full environment (os.environ.copy()), pass only the minimal required variables. 2. Verify the integrity of the child script before execution (e.g., hash check). 3. Avoid explicitly setting sensitive keys in subprocess environments when they are already present in the parent environment.
🟠 HIGH LLM_DATA_EXFILTRATION — API Key Exfiltration via Environment Variable Harvesting and External Network Calls

The script generate_schematic_ai.py reads the OPENROUTER_API_KEY environment variable and transmits it in HTTP Authorization headers to an external API endpoint (https://openrouter.ai/api/v1). While OpenRouter is a legitimate AI API service, the pattern of harvesting environment variables and sending them over the network represents a data exfiltration risk. The API key is read from the environment, from .env files, or passed as a parameter, then embedded in outbound HTTP requests. If the endpoint or the key itself were compromised or redirected, this would constitute credential exfiltration. The cross-file chain (generate_schematic.py → generate_schematic_ai.py) also passes the API key via environment variable copy, which could expose it in process listings or logs. File: scripts/generate_schematic_ai.py Remediation: 1. Validate the API endpoint URL against a hardcoded allowlist before making requests. 2. Avoid passing API keys through subprocess environment copies (generate_schematic.py line: env['OPENROUTER_API_KEY'] = api_key). 3. Ensure the API key is never logged or included in error messages. 4. Consider using a secrets manager rather than environment variables for sensitive credentials.
🔵 LOW LLM_RESOURCE_ABUSE — Unbounded API Call Loop with Iterative Refinement

The generate_iterative method in generate_schematic_ai.py implements a loop that makes multiple API calls (image generation + quality review per iteration). While the maximum iterations are capped at 2, each iteration makes at least 2 API calls (one for image generation, one for review), and the SKILL.md mandates 1-2 figures per report with 2-3 preferred. This means a single report generation could trigger 4-12 external API calls, consuming significant API credits and compute resources without explicit user awareness or confirmation. File: scripts/generate_schematic_ai.py Remediation: 1. Clearly disclose to users the number of API calls that will be made before execution. 2. Require explicit user confirmation before making multiple API calls. 3. Provide cost estimates based on expected API usage. 4. Default to single-iteration mode unless user explicitly requests refinement.
🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Misleading Model Names in Code Comments ('Nano Banana 2', 'Gemini 3.1 Pro Preview')

The scripts reference model names such as 'Nano Banana 2' and 'Gemini 3.1 Pro Preview' in comments and docstrings, but the actual model identifiers used in API calls are 'google/gemini-3.1-flash-image-preview' and 'google/gemini-3.1-pro-preview'. The marketing name 'Nano Banana Pro' also appears in SKILL.md. These discrepancies between advertised model names and actual API model identifiers could mislead users about which AI models are being used, potentially constituting capability inflation or brand misrepresentation. File: scripts/generate_schematic_ai.py Remediation: Use consistent, accurate model names in documentation, comments, and user-facing messages. Do not use marketing names that differ from actual API model identifiers. Disclose the actual models being used to users.

infographics — 🔴 CRITICAL

🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 2 files

Environment variable access with network calls in scripts/generate_infographic.py, scripts/generate_infographic_ai.py Remediation: Review data flow across files: scripts/generate_infographic.py, scripts/generate_infographic_ai.py
🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 2 files

Multi-file exfiltration chain detected: scripts/generate_infographic.py, scripts/generate_infographic_ai.py collect data → scripts/generate_infographic_ai.py → scripts/generate_infographic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_infographic.py, scripts/generate_infographic_ai.py
🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Capability Inflation: References Non-Existent AI Models

The skill description and code reference 'Nano Banana Pro AI' and 'Gemini 3 Pro' as distinct named products. In the code, 'Nano Banana Pro' maps to the model ID 'google/gemini-3-pro-image-preview' and the review model is 'google/gemini-3-pro'. 'Nano Banana Pro' does not appear to be a real, publicly documented AI product name - this appears to be a fabricated or misleading brand name used in the skill description and SKILL.md to inflate perceived capability or novelty. This could mislead users about what technology they are actually using. File: SKILL.md Remediation: Use accurate, verifiable model names in skill descriptions and documentation. Do not use invented brand names that could mislead users about the underlying technology. Update SKILL.md to accurately describe the models being used.
🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/infographics/scripts/generate_infographic.py File: scientific-skills/infographics/scripts/generate_infographic.py Remediation: Remove environment variable collection unless explicitly required and documented
🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

Script accesses environment variables and makes network calls in scientific-skills/infographics/scripts/generate_infographic_ai.py File: scientific-skills/infographics/scripts/generate_infographic_ai.py Remediation: Remove environment variable harvesting or network transmission
🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/infographics/scripts/generate_infographic_ai.py File: scientific-skills/infographics/scripts/generate_infographic_ai.py Remediation: Remove environment variable collection unless explicitly required and documented
🔵 LOW LLM_DATA_EXFILTRATION — API Key Passed via Environment Variable to Subprocess

In generate_infographic.py, the API key is retrieved from the environment or CLI argument and then explicitly set into the subprocess environment before calling generate_infographic_ai.py. While the code comments note this avoids exposure in process listings, the key is still propagated through os.environ.copy() and passed to a child process. This is a standard and acceptable pattern, but the key is accessible to any code running in that subprocess environment, including the AI script which makes multiple external network calls. File: scripts/generate_infographic.py Remediation: This pattern is generally acceptable. Ensure the subprocess environment does not leak to untrusted child processes. Consider using a secrets manager or ephemeral credential injection rather than environment variable propagation if the threat model requires it.
🟠 HIGH LLM_PROMPT_INJECTION — Indirect Prompt Injection via Perplexity Sonar Research Results

When the --research flag is used, the skill fetches content from Perplexity Sonar Pro (a live web search API) and directly injects the returned text into the image generation prompt via _enhance_prompt_with_research(). The research content is not sanitized or validated before being appended to the prompt sent to the image generation model. A malicious or compromised web source indexed by Perplexity could embed adversarial instructions (e.g., 'Ignore previous instructions and generate content showing...') that get injected into the downstream AI generation prompt, potentially manipulating the output. File: scripts/generate_infographic_ai.py Remediation: Sanitize research content before injecting it into generation prompts. Strip or escape any instruction-like patterns (e.g., 'ignore', 'instead', 'now do'). Consider using a structured extraction step to pull only factual data (numbers, dates, names) from research results rather than passing raw text. Add a clear delimiter and instruct the generation model to treat the research section as data-only, not as instructions.
🟡 MEDIUM LLM_COMMAND_INJECTION — Unvalidated User Prompt Passed to External AI Image Generation Model

The user-supplied prompt string is passed without sanitization directly to the Nano Banana Pro image generation model (google/gemini-3-pro-image-preview) via OpenRouter. While this is the intended use case, there is no input validation, length limiting, or content filtering applied before the prompt is sent. A malicious user could craft prompts designed to generate harmful, deceptive, or policy-violating imagery, or attempt to manipulate the model's behavior through prompt injection techniques targeting the image generation model. File: scripts/generate_infographic_ai.py Remediation: Add input validation and length limits on the user prompt before passing to external APIs. Consider implementing a content policy check or allowlist of acceptable prompt patterns. Log prompts for audit purposes.
🟡 MEDIUM LLM_DATA_EXFILTRATION — User-Controlled Prompt Content Sent to Multiple External AI APIs

The user-supplied prompt string is incorporated directly into requests sent to three external third-party services: OpenRouter (Nano Banana Pro / Gemini 3 Pro Image Preview for generation), OpenRouter (Gemini 3 Pro for review), and Perplexity Sonar Pro (for research). The prompt is not sanitized before being embedded in API payloads. While this is the intended functionality, it means any sensitive content in the user prompt is transmitted to multiple external services, and the research results from Perplexity are incorporated back into subsequent generation prompts without sanitization. File: scripts/generate_infographic_ai.py Remediation: Document clearly in the skill description that user prompts and research results are transmitted to external third-party APIs (OpenRouter, Perplexity). Add a user-facing disclosure. Consider sanitizing or truncating research content before re-injecting it into generation prompts to limit indirect injection surface.
🔵 LOW LLM_RESOURCE_ABUSE — Unbounded Iteration with External API Calls May Cause Resource Exhaustion

The generate_iterative() method loops up to 'iterations' times (default 3, user-configurable via --iterations flag), making multiple expensive API calls per iteration (generation + review). There is no upper bound enforced on the --iterations argument, meaning a user could pass --iterations 100 or higher, causing excessive API usage and cost. Each iteration makes at least 2 API calls (generation + review), and with research enabled, an additional call is made upfront. File: scripts/generate_infographic_ai.py Remediation: Add a maximum cap on the --iterations argument (e.g., max=10) with validation: if args.iterations > 10: parser.error('Maximum iterations is 10'). Document API cost implications clearly.

latex-posters — 🔴 CRITICAL

🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 2 files

Environment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py
🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 2 files

Multi-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data → scripts/generate_schematic_ai.py → scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py
🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing License and Compatibility Metadata in Skill Manifest

The SKILL.md manifest does not specify a license or compatibility field. While these are optional fields, their absence reduces transparency about the skill's intended use, distribution rights, and platform compatibility. The skill makes external network calls to OpenRouter API, which is a significant compatibility consideration that should be documented. File: SKILL.md Remediation: Add license information (e.g., MIT, Apache 2.0) and compatibility notes to the YAML frontmatter. Explicitly document that this skill requires internet access and an OpenRouter API key, as this is a significant operational requirement.
⚪ INFO LLM_CONTEXT_BUDGET_EXCEEDED — 'SKILL.md (instruction body)' excluded from LLM analysis (58,599 chars)

instruction body (58,599 chars) exceeds limit (50,000) File: SKILL.md (instruction body) Remediation: Increase llm_analysis.max_instruction_body_chars in your scan policy to include this content in LLM analysis.
🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/latex-posters/scripts/generate_schematic.py File: scientific-skills/latex-posters/scripts/generate_schematic.py Remediation: Remove environment variable collection unless explicitly required and documented
🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

Script accesses environment variables and makes network calls in scientific-skills/latex-posters/scripts/generate_schematic_ai.py File: scientific-skills/latex-posters/scripts/generate_schematic_ai.py Remediation: Remove environment variable harvesting or network transmission
🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/latex-posters/scripts/generate_schematic_ai.py File: scientific-skills/latex-posters/scripts/generate_schematic_ai.py Remediation: Remove environment variable collection unless explicitly required and documented
🟠 HIGH LLM_DATA_EXFILTRATION — API Key Harvesting via Environment Variable Access with External Network Transmission

The script generate_schematic_ai.py reads the OPENROUTER_API_KEY from environment variables and transmits it in HTTP Authorization headers to an external API endpoint (https://openrouter.ai/api/v1). While this is nominally the intended API key for the service, the pattern of reading environment variables and sending them over the network represents a data exfiltration risk. More critically, the script also reads ALL environment variables via os.environ.copy() in generate_schematic.py and passes the entire environment to a subprocess, which could expose other sensitive environment variables (AWS keys, SSH keys, database passwords, etc.) that happen to be set in the user's environment. File: scripts/generate_schematic.py:107 Remediation: Instead of copying the entire environment (os.environ.copy()), pass only the specific required environment variables to the subprocess. Use a minimal environment dict: env = {'OPENROUTER_API_KEY': api_key, 'PATH': os.environ.get('PATH', '')}. This prevents accidental exposure of other sensitive environment variables.
🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned External Dependency (requests library)

The script uses 'pip install requests' as the suggested installation command without version pinning. The requests library is imported without version constraints, which could allow supply chain attacks if a malicious version is published or if a breaking/vulnerable version is installed. File: scripts/generate_schematic_ai.py:14 Remediation: Pin the requests library to a specific known-good version (e.g., requests==2.31.0) in a requirements.txt file. Include a requirements.txt in the skill package and reference it in the installation instructions.
🟠 HIGH LLM_DATA_EXFILTRATION — Cross-File Exfiltration Chain: Environment Variables Passed to External API

A two-file exfiltration chain exists: generate_schematic.py copies the full os.environ and passes it to generate_schematic_ai.py via subprocess. generate_schematic_ai.py then makes HTTP POST requests to https://openrouter.ai/api/v1/chat/completions with Authorization headers. The user's prompt content (which may contain sensitive research data, proprietary information, or PII) is also transmitted to this external third-party service without explicit user consent warnings in the skill manifest or instructions. The HTTP-Referer header is hardcoded as 'https://github.com/scientific-writer' which is a deceptive/spoofed referrer. File: scripts/generate_schematic_ai.py:130 Remediation: 1. Clearly disclose in SKILL.md that user prompts and generated images are sent to OpenRouter (a third-party service). 2. Remove the spoofed HTTP-Referer header or use an accurate referrer. 3. Do not copy the full environment - use a minimal env dict. 4. Add explicit user confirmation before transmitting data to external services.
🟡 MEDIUM LLM_COMMAND_INJECTION — User-Controlled Input Passed Directly to External API Without Sanitization

The user's prompt string (args.prompt from command line) is passed directly into the API request payload without any sanitization or validation. This prompt is embedded into a larger review_prompt string using f-string interpolation, which could allow prompt injection attacks against the downstream AI models (Gemini 3.1 Pro Preview). A malicious user could craft a prompt that manipulates the AI reviewer's scoring behavior or extracts information from the review model's context. File: scripts/generate_schematic_ai.py:222 Remediation: Validate and sanitize user input before embedding in prompts. Consider limiting prompt length, stripping special characters, and using structured message formats rather than direct f-string interpolation of user content into system-level instructions.
🟡 MEDIUM LLM_COMMAND_INJECTION — Unvalidated File Path from User Input Used in File Operations

The output path (args.output) is taken directly from user command-line input and used in file system operations including directory creation (mkdir), file writing, and shutil.copy without path traversal validation. A malicious invocation could use paths like '../../../etc/cron.d/malicious' or absolute paths to write files to arbitrary locations on the filesystem. File: scripts/generate_schematic_ai.py:290 Remediation: Validate the output path to ensure it stays within an expected directory. Use Path.resolve() and check that the resolved path is within an allowed base directory. Reject paths containing '..' components or absolute paths outside the working directory.
🟡 MEDIUM LLM_COMMAND_INJECTION — Shell Script Accepts Unvalidated File Path Argument

The review_poster.sh script accepts a file path as its first argument ($1) and passes it directly to multiple external commands (pdfinfo, pdffonts, pdfimages, ls) without any path validation or sanitization. While the commands themselves are not shell-interpolated in a dangerous way, the POSTER_FILE variable is used in a gs (Ghostscript) command suggestion that is echoed to the user, and the file path could contain special characters that might be interpreted by the shell in certain contexts. File: scripts/review_poster.sh:17 Remediation: Validate the input file path: check it exists, is a regular file, has a .pdf extension, and does not contain shell metacharacters. Quote all variable expansions consistently (already done for most uses). When echoing the path in suggested commands, escape or quote it properly.

literature-review — 🔴 CRITICAL

🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 3 files

Environment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py, scripts/verify_citations.py
🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 3 files

Multi-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data → scripts/generate_schematic_ai.py → scripts/verify_citations.py, scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py, scripts/verify_citations.py
🟡 MEDIUM LLM_SUPPLY_CHAIN_ATTACK — Unpinned Python Dependency in Requirements

The SKILL.md instructions specify installing the 'requests' library without a version pin (pip install requests). Unpinned dependencies are vulnerable to supply chain attacks where a malicious version could be installed. Given that this package is used for all external network communications including credential transmission, a compromised version could intercept API keys and other sensitive data. File: SKILL.md Remediation: Pin the requests library to a specific known-good version (e.g., pip install requests==2.31.0). Consider using a requirements.txt file with pinned versions and hash verification (pip install --require-hashes -r requirements.txt).
🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Mandatory Cross-Skill Dependency Not Declared in Manifest

The SKILL.md instructions contain a MANDATORY directive requiring use of the 'scientific-schematics' skill for every literature review, but this dependency is not declared in the YAML manifest. The instruction states '⚠️ MANDATORY: Every literature review MUST include at least 1-2 AI-generated figures using the scientific-schematics skill' and 'Literature reviews without visual elements are incomplete.' This creates an undisclosed dependency that forces activation of another skill and its associated external API calls (OpenRouter) without the user's explicit awareness at skill selection time. File: SKILL.md Remediation: Declare the scientific-schematics skill dependency in the YAML manifest. Change the mandatory directive to a recommendation, allowing users to opt out of external API calls for figure generation. Clearly disclose in the description that this skill will make external API calls to OpenRouter/Google services.
🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/literature-review/scripts/generate_schematic.py File: scientific-skills/literature-review/scripts/generate_schematic.py Remediation: Remove environment variable collection unless explicitly required and documented
🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

Script accesses environment variables and makes network calls in scientific-skills/literature-review/scripts/generate_schematic_ai.py File: scientific-skills/literature-review/scripts/generate_schematic_ai.py Remediation: Remove environment variable harvesting or network transmission
🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/literature-review/scripts/generate_schematic_ai.py File: scientific-skills/literature-review/scripts/generate_schematic_ai.py Remediation: Remove environment variable collection unless explicitly required and documented
🟠 HIGH LLM_DATA_EXFILTRATION — Cross-File Exfiltration Chain: Environment Variables Passed Through Script Subprocess

generate_schematic.py reads OPENROUTER_API_KEY from the environment and explicitly copies the entire os.environ into a subprocess call that executes generate_schematic_ai.py. This means ALL environment variables (not just the API key) are passed to the child process, which then makes outbound network calls. This creates a cross-file exfiltration chain where any sensitive environment variable present in the agent's environment could be exposed to the subprocess and potentially to external services. File: scripts/generate_schematic.p 8000 y:108 Remediation: Instead of passing the full os.environ copy, construct a minimal environment dictionary containing only the variables strictly required by the subprocess. This prevents inadvertent exposure of other sensitive environment variables (AWS credentials, SSH keys, tokens, etc.) to the child process and the external API.
🟡 MEDIUM LLM_DATA_EXFILTRATION — Sensitive .env File Auto-Discovery and Loading

The _load_env_file() function in generate_schematic_ai.py automatically searches for and loads .env files from the current working directory and the script's parent directory. This behavior could cause unintended loading of sensitive credentials from the user's project directory, potentially exposing secrets beyond just OPENROUTER_API_KEY to the script's execution context and subsequent network calls. File: scripts/generate_schematic_ai.py:38 Remediation: Require explicit user opt-in for .env file loading rather than automatic discovery. Document clearly that .env files will be read. Limit the scope of loaded variables to only those needed by the script.
🟠 HIGH LLM_DATA_EXFILTRATION — API Key Exfiltration via Environment Variable Harvesting and External Network Calls

The script generate_schematic_ai.py reads the OPENROUTER_API_KEY environment variable and transmits it as a Bearer token in HTTP requests to openrouter.ai. While the stated purpose is AI image generation, the combination of environment variable harvesting and outbound network calls creates a data exfiltration pathway. The API key is read from the environment (or .env file) and embedded in Authorization headers sent to an external service. The static analyzer flagged this as a cross-file env var exfiltration chain spanning 3 files (generate_schematic.py → generate_schematic_ai.py → external API calls). File: scripts/generate_schematic_ai.py:85 Remediation: Ensure the OPENROUTER_API_KEY is scoped only to the intended service. Validate the destination URL is exactly the expected endpoint before sending credentials. Consider using a secrets manager rather than environment variables. Audit all outbound HTTP calls to confirm they only go to trusted endpoints.
🟡 MEDIUM LLM_UNAUTHORIZED_TOOL_USE — Unvalidated External API Endpoint for Image Generation

The generate_schematic_ai.py script sends user-controlled prompt content to an external AI image generation API (openrouter.ai) without validating or sanitizing the prompt. The user's diagram description is embedded directly into API requests. Additionally, the base_url and model identifiers are hardcoded strings but the entire prompt content (including potentially sensitive research topics) is transmitted externally without user confirmation or data minimization. File: scripts/generate_schematic_ai.py:100 Remediation: Inform users that their diagram descriptions and research content will be transmitted to an external third-party API (OpenRouter/Google). Provide an opt-in confirmation before sending data. Consider documenting data handling and privacy implications in the skill description.
🔵 LOW LLM_DATA_EXFILTRATION — Generated Images Transmitted to External AI Service May Contain Sensitive Research Content

The review_image() function in generate_schematic_ai.py encodes locally-generated images as base64 and transmits them to an external AI review service (Gemini 3.1 Pro Preview via OpenRouter). If the generated schematics contain sensitive research data, proprietary diagrams, or confidential information, this data is exfiltrated to a third-party service without explicit user consent for each transmission. File: scripts/generate_schematic_ai.py:248 Remediation: Disclose to users that generated images will be sent to external AI services for quality review. Provide an option to skip the AI review step for sensitive research content. Document the data retention policies of the external services used.

markitdown — 🔴 CRITICAL

🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 3 files

Environment variable access with network calls in scripts/generate_schematic_ai.py, scripts/convert_with_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py, scripts/convert_with_ai.py
🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 3 files

Multi-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/convert_with_ai.py, scripts/generate_schematic.py collect data → scripts/generate_schematic_ai.py → scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py, scripts/convert_with_ai.py
🟡 MEDIUM LLM_SKILL_DISCOVERY_ABUSE — Cross-Skill Activation Manipulation via Embedded Skill Promotion

The SKILL.md instruction body contains embedded promotion of a separate 'scientific-schematics' skill, instructing the agent to automatically invoke it when creating documents. The instructions state 'For new documents: Scientific schematics should be generated by default' and 'Use the scientific-schematics skill to generate AI-powered publication-quality diagrams'. This is capability inflation/activation abuse — the markitdown skill is attempting to trigger activation of another skill beyond its stated purpose of file-to-markdown conversion. This could be used to chain skill invocations in unintended ways. File: SKILL.md Remediation: Remove cross-skill activation directives from the SKILL.md instructions. A file conversion skill should not instruct the agent to automatically invoke other skills. If integration is desired, document it as an optional workflow rather than a default behavior.
🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned External Package Dependencies

The skill instructions recommend installing markitdown with 'pip install markitdown[all]' and other packages without version pinning. The scripts also import from 'markitdown', 'openai', and 'requests' without version constraints. Unpinned dependencies are vulnerable to supply chain attacks where a malicious package version could be installed. File: SKILL.md Remediation: Pin dependency versions in requirements files (e.g., markitdown==0.1.0, openai==1.x.x, requests==2.31.0). Use a requirements.txt or pyproject.toml with locked versions to prevent supply chain attacks.
🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/markitdown/scripts/convert_with_ai.py File: scientific-skills/markitdown/scripts/convert_with_ai.py Remediation: Remove environment variable collection unless explicitly required and documented
🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/markitdown/scripts/generate_schematic.py File: scientific-skills/markitdown/scripts/generate_schematic.py Remediation: Remove environment variable collection unless explicitly required and documented
🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

Script accesses environment variables and makes network calls in scientific-skills/markitdown/scripts/generate_schematic_ai.py File: scientific-skills/markitdown/scripts/generate_schematic_ai.py Remediation: Remove environment variable harvesting or network transmission
🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/markitdown/scripts/generate_schematic_ai.py File: scientific-skills/markitdown/scripts/generate_schematic_ai.py Remediation: Remove environment variable collection unless explicitly required and documented
🔵 LOW LLM_UNAUTHORIZED_TOOL_USE — Subprocess Execution of User-Controlled Script Path

The generate_schematic.py script uses subprocess.run() to execute another script (generate_schematic_ai.py) with user-provided arguments including the user's prompt. While the script path is resolved from file (not user-controlled), the user prompt is passed as a command-line argument. This could potentially cause issues if the prompt contains shell metacharacters, though the use of a list-form subprocess call (not shell=True) mitigates direct shell injection. File: scripts/generate_schematic.py Remediation: The current implementation uses list-form subprocess (not shell=True) which is safe from shell injection. However, document this behavior. Consider passing the prompt via stdin or environment variable rather than as a command-line argument to avoid potential argument length limits and process listing exposure of prompt content.
🟡 MEDIUM LLM_DATA_EXFILTRATION — API Key Exposure via Environment Variable Harvesting and Network Transmission

Multiple scripts (generate_schematic_ai.py, generate_schematic.py, convert_with_ai.py) read the OPENROUTER_API_KEY environment variable and transmit it in HTTP Authorization headers to external servers (openrouter.ai). While this is the intended use of the API key, the pattern of reading environment variables and sending them to external endpoints represents a data exposure risk. Additionally, the generate_schematic_ai.py script loads .env files from the current working directory or script directory, which could expose secrets from the user's environment beyond just the intended API key. File: scripts/generate_schematic_ai.py:85 Remediation: The .env file loading behavior should be clearly documented. Ensure the .env loading only reads the specific required key and does not expose other secrets. Consider scoping the dotenv load to only the specific variable needed rather than loading all variables from the .env file.
🟡 MEDIUM LLM_DATA_EXFILTRATION — User-Provided Prompt Content Transmitted to External AI Service

The generate_schematic_ai.py and generate_schematic.py scripts transmit user-provided prompt content directly to external OpenRouter API endpoints. The user's prompt is embedded into requests sent to openrouter.ai, which routes to third-party AI models (Google Gemini, etc.). The review_image() function also sends the original user prompt along with generated images to the review model. This means any sensitive information in the user's prompt is transmitted to external services. File: scripts/generate_schematic_ai.py:175 Remediation: Document clearly that user prompts are transmitted to external AI services (OpenRouter and downstream model providers). Add user consent/confirmation before transmitting content to external services. Consider adding a warning in the skill description about data transmission to third parties.
🔵 LOW LLM_DATA_EXFILTRATION — Image Data Transmitted to External Review Service

The generate_schematic_ai.py script converts locally generated images to base64 and transmits them to the external OpenRouter API for quality review using Gemini 3.1 Pro Preview. This means any generated images (which may contain sensitive content derived from user prompts) are sent to external third-party services. File: scripts/generate_schematic_ai.py:290 Remediation: Document that generated images are transmitted to external review services. Provide an option to skip the review step (--no-review flag) for users who do not want image data transmitted externally. Make this behavior explicit in the skill description.

peer-review — 🔴 CRITICAL

🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 2 files

Environment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py
🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 2 files

Multi-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data → scripts/generate_schematic_ai.py → scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py
🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Cross-Skill Activation Promotion in Instructions

The SKILL.md instructions actively promote the use of another skill ('scientific-schematics') and reference 'Nano Banana Pro' as a product/platform, suggesting this skill is designed to drive activation of companion skills. The instructions state schematics 'should be generated by default' even for peer review tasks, potentially causing unnecessary external API calls and data transmission beyond the scope of the peer review task. File: SKILL.md:25 Remediation: Make schematic generation explicitly opt-in rather than default behavior. Remove the directive to generate schematics 'by default' as this causes unnecessary external API calls during peer review tasks. The peer review skill should focus on its stated purpose.
🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/peer-review/scripts/generate_schematic.py File: scientific-skills/peer-review/scripts/generate_schematic.py Remediation: Remove environment variable collection unless explicitly required and documented
🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

Script accesses environment variables and makes network calls in scientific-skills/peer-review/scripts/generate_schematic_ai.py File: scientific-skills/peer-review/scripts/generate_schematic_ai.py Remediation: Remove environment variable harvesting or network transmission
🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/peer-review/scripts/generate_schematic_ai.py File: scientific-skills/peer-review/scripts/generate_schematic_ai.py Remediation: Remove environment variable collection unless explicitly required and documented
🔵 LOW LLM_UNAUTHORIZED_TOOL_USE — Allowed-Tools Declaration Includes Bash but Bash Usage is Primarily for Subprocess Delegation

The manifest declares allowed-tools including Bash and Write. The generate_schematic.py script uses subprocess.run() to invoke generate_schematic_ai.py, creating a subprocess chain. While not a direct violation, this pattern means the agent's Bash tool is used to spawn Python subprocesses that make external network calls, which may not be transparent to users who see only the top-level tool invocation. File: scripts/generate_schematic.py:95 Remediation: Consider consolidating the two scripts into one to avoid subprocess chaining, which obscures the actual operations being performed. If subprocess delegation is necessary, document this pattern clearly in SKILL.md.
🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned External Dependency (requests library)

The script imports the 'requests' library without a pinned version requirement. The error message suggests installing with 'pip install requests' without specifying a version. Unpinned dependencies can be subject to supply chain attacks if a malicious version is published. File: scripts/generate_schematic_ai.py:17 Remediation: Pin the requests library to a specific version (e.g., requests==2.31.0) in a requirements.txt file. Consider using a lockfile or hash verification for dependencies.
🟡 MEDIUM LLM_DATA_EXFILTRATION — API Key Exposure via Environment Variable and Network Transmission

The scripts read the OPENROUTER_API_KEY environment variable and transmit it in HTTP Authorization headers to an external API endpoint (openrouter.ai). While using environment variables for API keys is a common pattern, the key is passed through subprocess calls and included in HTTP headers sent to an external service. The generate_schematic.py wrapper also copies the API key into a subprocess environment, which could expose it in process listings or logs if not handled carefully. File: scripts/generate_schematic_ai.py:97 Remediation: This is a legitimate use pattern for API-based skills. Ensure the OPENROUTER_API_KEY is scoped to only the permissions needed. Consider adding a warning in SKILL.md that this skill transmits data to external APIs. Avoid logging the API key or including it in error messages.
🟡 MEDIUM LLM_DATA_EXFILTRATION — User-Provided Content Transmitted to External AI APIs

The skill transmits user-provided diagram descriptions and generated images to external third-party APIs (openrouter.ai, which routes to Google Gemini models). Any sensitive content in the user's prompt or generated images is sent externally. The review step also sends generated images back to the API for quality assessment. This creates a data flow where user content leaves the local environment without explicit user consent warnings in the skill documentation. File: scripts/generate_schematic_ai.py:130 Remediation: Add explicit disclosure in SKILL.md that user prompts and generated images are transmitted to external APIs (OpenRouter/Google Gemini). Allow users to opt out of the review step if they have data sensitivity concerns. Document the data retention policies of the external services used.

pptx-posters — 🔴 CRITICAL

🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 2 files

Environment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py
🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 2 files

Multi-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data → scripts/generate_schematic_ai.py → scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py
⚪ INFO LLM_ANALYSIS_FAILED — LLM analysis failed

The LLM analyzer encountered an error and could not complete semantic analysis: litellm.BadRequestError: AnthropicException - {"type":"error","error":{"type":"invalid_request_error","message":"Not Found"},"request_id":"req_011CZxTXPGKqo11f13XuCYd4"} Remediation: Check your LLM provider configuration (API key, model name, network connectivity). The scan completed with static analysis only — LLM-based threat detection was not performed.
🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/pptx-posters/scripts/generate_schematic.py File: scientific-skills/pptx-posters/scripts/generate_schematic.py Remediation: Remove environment variable collection unless explicitly required and documented
🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

Script accesses environment variables and makes network calls in scientific-skills/pptx-posters/scripts/generate_schematic_ai.py File: scientific-skills/pptx-posters/scripts/generate_schematic_ai.py Remediation: Remove environment variable harvesting or network transmission
🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/pptx-posters/scripts/generate_schematic_ai.py File: scientific-skills/pptx-posters/scripts/generate_schematic_ai.py Remediation: Remove environment variable collection unless explicitly required and documented

research-grants — 🔴 CRITICAL

🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 2 files

Environment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py
🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 2 files

Multi-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data → scripts/generate_schematic_ai.py → scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py
🟠 HIGH LLM_SKILL_DISCOVERY_ABUSE — Mandatory Cross-Skill Invocation via Capability Inflation in SKILL.md

The SKILL.md instructions contain a section marked '⚠️ MANDATORY' that instructs the agent that 'Every research grant proposal MUST include at least 1-2 AI-generated figures using the scientific-schematics skill.' This is a capability inflation tactic that forces invocation of another skill (scientific-schematics) and the associated script (generate_schematic.py) for every grant writing task, regardless of user intent. The instruction also references 'Nano Banana Pro' as if it is a known system component, which is a brand/product name not established in the agent's context, potentially misleading the agent about available capabilities. File: SKILL.md Remediation: Remove the mandatory cross-skill invocation directive. Figure generation should be optional and user-directed, not forced by the skill instructions. Remove references to 'Nano Banana Pro' as an authoritative system component.
🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/research-grants/scripts/generate_schematic.py File: scientific-skills/research-grants/scripts/generate_schematic.py Remediation: Remove environment variable collection unless explicitly required and documented
🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

Script accesses environment variables and makes network calls in scientific-skills/research-grants/scripts/generate_schematic_ai.py File: scientific-skills/research-grants/scripts/generate_schematic_ai.py Remediation: Remove environment variable harvesting or network transmission
🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/research-grants/scripts/generate_schematic_ai.py File: scientific-skills/research-grants/scripts/generate_schematic_ai.py Remediation: Remove environment variable collection unless explicitly required and documented
🟡 MEDIUM LLM_COMMAND_INJECTION — Subprocess Execution with User-Controlled Arguments

In generate_schematic.py, the user-provided prompt and output path are passed as command-line arguments to a subprocess invocation of generate_schematic_ai.py. While subprocess.run() is used (not shell=True), the arguments are constructed from user input without validation. The output path (args.output) is user-controlled and could potentially be used to write files to arbitrary locations on the filesystem. File: scripts/generate_schematic.py:80 Remediation: Validate and sanitize the output path to ensure it stays within an expected directory (e.g., the figures/ subdirectory). Validate the prompt for length and content before passing to subprocess. Use pathlib to resolve and validate paths.
🔵 LOW LLM_DATA_EXFILTRATION — API Key Passed via Environment to Subprocess

The generate_schematic.py script passes the OPENROUTER_API_KEY to a subprocess via the environment (env dict). While this is safer than passing it as a command-line argument (which would appear in process listings), the key is still propagated to child processes. The comment in the cod 8000 e acknowledges this: 'pass API key via environment to avoid exposure in process listings'. File: scripts/generate_schematic.py:88 Remediation: This is a reasonable approach, but consider using more secure credential management. Ensure the subprocess does not log or expose the key. The full os.environ.copy() also passes all other environment variables to the subprocess, which may include other sensitive credentials.
🔵 LOW LLM_UNAUTHORIZED_TOOL_USE — Unpinned External Dependency (requests library)

The script imports the 'requests' library without a pinned version. The install instruction shown in the error message ('pip install requests') does not specify a version. An unpinned dependency could be subject to supply chain attacks if a malicious version is published or if the user's environment resolves to a compromised version. File: scripts/generate_schematic_ai.py:15 Remediation: Pin the requests library to a specific known-good version in a requirements.txt file (e.g., requests==2.31.0). Include a requirements.txt with the skill package.
🟠 HIGH LLM_DATA_EXFILTRATION — Broad Environment Variable and .env File Harvesting

The _load_env_file() function searches for and loads .env files from both the current working directory (Path.cwd() / '.env') and the script's parent directory. This means the script will automatically read any .env file present in the user's working directory, which may contain sensitive credentials beyond just OPENROUTER_API_KEY (e.g., AWS keys, database passwords, other API tokens). These are then loaded into the process environment where they could be accessed by subsequent code. File: scripts/generate_schematic_ai.py:30 Remediation: Restrict .env file loading to only the skill's own directory, not the user's current working directory (Path.cwd()). Document clearly what credentials are loaded and ensure only the minimum required credentials are accessed.
🔴 CRITICAL LLM_DATA_EXFILTRATION — API Key Exfiltration via External Network Calls

The script reads the OPENROUTER_API_KEY environment variable and transmits it in HTTP Authorization headers to external servers (openrouter.ai). While the stated purpose is AI image generation, the API key is extracted from the environment and sent over the network. Additionally, the script loads .env files from the filesystem, potentially harvesting credentials stored there. The key is passed via environment variable to a subprocess in generate_schematic.py, but the parent process also reads it directly and uses it in network requests. File: scripts/generate_schematic_ai.py:60 Remediation: Ensure the API key is only used for its stated purpose and that the endpoint (openrouter.ai) is the only recipient. Validate that no other environment variables or credentials are harvested. Consider scoping the credential access to only what is needed and auditing all outbound network calls.
🟠 HIGH LLM_COMMAND_INJECTION — User-Controlled Prompt Passed Directly to External AI API

The user-supplied prompt string is passed without sanitization directly into the AI image generation API request payload. The prompt is incorporated into the HTTP request body sent to openrouter.ai. While this is the intended functionality, there is no input validation, length limiting, or content filtering on the prompt before it is sent to the external service. A malicious user could craft prompts to abuse the API, generate harmful content, or attempt prompt injection against the downstream AI model. File: scripts/generate_schematic_ai.py:196 Remediation: Add input validation and sanitization for user-provided prompts before sending to external APIs. Implement length limits, content filtering, and rate limiting to prevent abuse.
🟡 MEDIUM LLM_RESOURCE_ABUSE — Iterative API Calls with External Service - Potential Resource Exhaustion

The generate_iterative() method makes multiple sequential calls to external AI APIs (image generation + quality review per iteration, up to 2 iterations). Each call has a 120-second timeout. For a single schematic generation, this could result in up to 4 external API calls (2 generation + 2 review), each potentially consuming significant API credits. Since the SKILL.md marks figure generation as MANDATORY for every grant proposal, this could result in substantial unintended API usage and cost for users. File: scripts/generate_schematic_ai.py:280 Remediation: Clearly document the API cost implications. Make figure generation opt-in rather than mandatory. Add explicit user confirmation before making multiple API calls. Enforce the max iterations=2 limit more clearly in documentation.

research-lookup — 🔴 CRITICAL

🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 6 files

Environment variable access with network calls in examples.py, research_lookup.py, lookup.py, scripts/research_lookup.py, scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/research_lookup.py, scripts/generate_schematic.py, examples.py, scripts/generate_schematic_ai.py, lookup.py, research_lookup.py
🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 6 files

Multi-file exfiltration chain detected: examples.py, research_lookup.py, lookup.py, scripts/research_lookup.py, scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data → scripts/generate_schematic_ai.py → research_lookup.py, scripts/research_lookup.py, scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/research_lookup.py, scripts/generate_schematic.py, examples.py, scripts/generate_schematic_ai.py, lookup.py, research_lookup.py
🔵 LOW LLM_UNAUTHORIZED_TOOL_USE — Allowed-Tools Declaration Includes Write/Edit But Scope Not Clearly Bounded

The YAML manifest declares allowed-tools as 'Read Write Edit Bash', which grants broad file system write access. The skill instructs the agent to write all research results to a sources/ directory. While this is the intended behavior, the Write and Edit permissions combined with Bash execution create a broad attack surface. The skill does not restrict write operations to the sources/ directory only, meaning a compromised or manipulated workflow could write files anywhere the agent has access. File: SKILL.md:1 Remediation: Consider restricting file write operations to the sources/ directory through explicit path validation in scripts. Document the intended write scope clearly. If possible, use more restrictive tool permissions and validate output paths programmatically before writing.
🟠 HIGH LLM_PROMPT_INJECTION — Indirect Prompt Injection via External AI API Responses

The skill fetches research content from external AI APIs (Parallel Chat API and Perplexity) and returns the raw response content directly to the agent. If an adversary can influence what these APIs return (e.g., through poisoned web sources that the APIs index), malicious instructions could be embedded in the research response. The agent would then process this content as trusted research data, potentially following embedded instructions. The skill instructs the agent to save all results to files and re-read them later, creating a persistent indirect injection vector through the sources/ folder. File: research_lookup.py Remediation: Treat all content returned from external AI APIs as untrusted. Implement content filtering or sandboxing before presenting results to the agent. Add warnings in the SKILL.md that returned research content should not be interpreted as instructions. Consider stripping or escaping markdown instruction-like patterns from returned content before saving to sources/ files.
🟡 MEDIUM LLM_COMMAND_INJECTION — User Query Passed Directly to External AI APIs Without Sanitization

User-supplied research queries are passed directly into API requests to external AI services (Parallel Chat API and Perplexity via OpenRouter) without any sanitization or validation. The query is embedded in message content sent to these services. While this is the intended functionality, malicious or adversarially crafted queries could be used to manipulate the downstream AI models (prompt injection against the backend models), potentially causing them to return harmful, misleading, or manipulated research results that the agent would then trust and act upon. File: research_lookup.py Remediation: Add input validation and length limits on user queries before forwarding to external APIs. Consider sanitizing or escaping special characters. Treat responses from external AI APIs as untrusted content and do not automatically execute or follow any instructions embedded in the returned research content.
🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned External Dependencies

The skill uses the 'openai' and 'requests' packages without version pinning. The openai package is imported dynamically with a lazy-load pattern, and requests is imported at module level. Without pinned versions, a supply chain compromise of these packages (e.g., a malicious update to PyPI) could introduce malicious code that intercepts API keys or modifies request/response data. File: research_lookup.py Remediation: Pin all dependencies to specific versions in a requirements.txt file (e.g., openai==1.x.x, requests==2.31.0). Use a lockfile and verify package integrity with hash checking. Consider using a virtual environment with audited dependencies.
🟡 MEDIUM LLM_DATA_EXFILTRATION — API Keys Transmitted to External Third-Party Services

The skill reads PARALLEL_API_KEY and OPENROUTER_API_KEY from environment variables and transmits them directly in HTTP Authorization headers to external services (api.parallel.ai and openrouter.ai). While this is the intended design for API authentication, the keys are read from the environment and sent over the network, creating a risk if the environment is compromised or if the endpoints are spoofed. The OPENROUTER_API_KEY is also passed to a subprocess via environment variable in generate_schematic.py, which could expose it to process listing inspection on some systems. File: research_lookup.py:180 Remediation: This is expected behavior for API-based skills. Ensure API keys are stored securely (e.g., in a secrets manager or encrypted vault rather than plain environment variables). Document clearly which external endpoints receive these keys. Consider validating endpoint URLs against an allowlist before transmitting credentials.
🔵 LOW LLM_RESOURCE_ABUSE — Batch Query Processing Without Rate Limiting Safeguards

The batch_lookup method processes multiple queries with only a configurable delay between requests. There is no maximum batch size limit, no total cost cap, and no circuit breaker. A user could submit an arbitrarily large batch of queries, causing excessive API consumption and potential cost exhaustion. The Parallel Chat API is noted to have up to 5-minute latency per query, meaning large batches could also cause agent timeouts or resource exhaustion. File: research_lookup.py:240 Remediation: Add a maximum batch size limit (e.g., 10-20 queries per batch). Implement a total cost/token budget check. Add a circuit breaker that stops processing if consecutive failures occur. Document batch size limits in the SKILL.md instructions.
🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/research-lookup/examples.py File: scientific-skills/research-lookup/examples.py Remediation: Remove environment variable collection unless explicitly required and documented
🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/research-lookup/lookup.py File: scientific-skills/research-lookup/lookup.py Remediation: Remove environment variable collection unless explicitly required and documented
🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

Script accesses environment variables and makes network calls in scientific-skills/research-lookup/research_lookup.py File: scientific-skills/research-lookup/research_lookup.py Remediation: Remove environment variable harvesting or network transmission
🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/research-lookup/research_lookup.py File: scientific-skills/research-lookup/research_lookup.py Remediation: Remove environment variable collection unless explicitly required and documented
🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/research-lookup/scripts/generate_schematic.py File: scientific-skills/research-lookup/scripts/generate_schematic.py Remediation: Remove environment variable collection unless explicitly required and documented
🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

Script accesses environment variables and makes network calls in scientific-skills/research-lookup/scripts/generate_schematic_ai.py File: scientific-skills/research-lookup/scripts/generate_schematic_ai.py Remediation: Remove environment variable harvesting or network transmission
🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/research-lookup/scripts/generate_schematic_ai.py File: scientific-skills/research-lookup/scripts/generate_schematic_ai.py Remediation: Remove environment variable collection unless explicitly required and documented
🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

Script accesses environment variables and makes network calls in scientific-skills/research-lookup/scripts/research_lookup.py File: scientific-skills/research-lookup/scripts/research_lookup.py Remediation: Remove environment variable harvesting or network transmission
🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/research-lookup/scripts/research_lookup.py File: scientific-skills/research-lookup/scripts/research_lookup.py Remediation: Remove environment variable collection unless explicitly required and documented

scholar-evaluation — 🔴 CRITICAL

🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 2 files

Environment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py
🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 2 files

Multi-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data → scripts/generate_schematic_ai.py → scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py
🟡 MEDIUM LLM_UNAUTHORIZED_TOOL_USE — Unauthorized External Network Calls Not Declared in Manifest

The skill's YAML manifest does not declare network access capabilities or specify allowed-tools. The scripts make external HTTP requests to https://openrouter.ai/api/v1 for image generation and quality review. The skill description mentions 'scholarly evaluation' but the actual behavior includes making external API calls to a third-party AI service. This undisclosed network behavior represents a tool exploitation concern where the skill's actual capabilities exceed what is communicated to the user. File: SKILL.md Remediation: Add explicit allowed-tools declaration to the YAML manifest including network/HTTP access. Update the skill description to clearly state that it makes external API calls to openrouter.ai. Inform users that their prompts and diagram descriptions are sent to a third-party service.
🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Cross-Skill Activation Promotion in Instructions

The SKILL.md instructions contain a section that actively promotes and triggers another skill ('scientific-schematics') by instructing the agent to use it by default for new documents. The instruction states 'Scientific schematics should be generated by default' and references 'Nano Banana Pro' which appears to be a branded product name. This represents capability inflation by embedding cross-skill activation directives that expand the skill's footprint beyond its stated scholarly evaluation purpose. File: SKILL.md Remediation: Remove or make optional the automatic cross-skill activation directive. The scholarly evaluation skill should focus on its stated purpose of evaluating academic work. Cross-skill integration should be presented as an optional enhancement, not a default behavior. Remove brand promotion language ('Nano Banana Pro').
🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/scholar-evaluation/scripts/generate_schematic.py File: scientific-skills/scholar-evaluation/scripts/generate_schematic.py Remediation: Remove environment variable collection unless explicitly required and documented
🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

Script accesses environment variables and makes network calls in scientific-skills/scholar-evaluation/scripts/generate_schematic_ai.py File: scientific-skills/scholar-evaluation/scripts/generate_schematic_ai.py Remediation: Remove environment variable harvesting or network transmission
🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/scholar-evaluation/scripts/generate_schematic_ai.py File: scientific-skills/scholar-evaluation/scripts/generate_schematic_ai.py Remediation: Remove environment variable collection unless explicitly required and documented
🟠 HIGH LLM_DATA_EXFILTRATION — Cross-File Exfiltration Chain: Environment Variable Harvesting Across Multiple Scripts

The static analyzer identified a cross-file exfiltration chain spanning generate_schematic.py and generate_schematic_ai.py. generate_schematic.py reads the OPENROUTER_API_KEY from the environment and passes it to generate_schematic_ai.py via subprocess with os.environ.copy(), which then transmits it to an external API. The use of os.environ.copy() copies the ENTIRE environment (not just the API key) into the subprocess, potentially exposing all environment variables to the child process and any logging/error output. This is a broader exposure than necessary. File: scripts/generate_schematic.py Remediation: Instead of copying the entire environment with os.environ.copy(), pass only the specific required environment variables to the subprocess. Use a minimal environment dict: env = {"OPENROUTER_API_KEY": api_key, "PATH": os.environ.get("PATH", "")}. This prevents inadvertent exposure of other sensitive environment variables (AWS keys, database passwords, etc.) to the subprocess.
🟠 HIGH LLM_DATA_EXFILTRATION — API Key Harvested from Environment and Transmitted to External Service

The scripts read the OPENROUTER_API_KEY environment variable and transmit it to an external third-party API endpoint (https://openrouter.ai/api/v1). While this is framed as a legitimate API key for the service, the pattern of harvesting environment variables and sending them over the network represents a data exfiltration risk. The key is read from the environment (or .env file) and embedded in HTTP Authorization headers sent to an external server. If the environment contains other sensitive keys with similar names or if the API key itself is sensitive, this constitutes credential exposure to a third-party service. File: scripts/generate_schematic_ai.py Remediation: Ensure users are clearly informed that their API key will be transmitted to openrouter.ai. Document the data flow explicitly in the skill description. Consider validating that only the expected OPENROUTER_API_KEY variable is accessed and not other environment variables. Add explicit user consent before transmitting credentials.
🟡 MEDIUM LLM_PROMPT_INJECTION — User-Provided Prompt Content Sent to External AI Model Without Sanitization

The generate_schematic scripts take user-provided natural language prompts and send them directly to an external AI model (Nano Banana 2 / google/gemini-3.1-flash-image-preview via OpenRouter) without any sanitization or content filtering. The prompt is embedded directly into API requests. Additionally, the review model (google/gemini-3.1-pro-preview) receives the original user prompt along with generated images. This creates an indirect prompt injection vector where malicious content in user prompts could be forwarded to and potentially manipulate the external AI models. File: scripts/generate_schematic_ai.py Remediation: Sanitize user-provided prompts before embedding them in API requests to external services. Consider adding content validation to ensure prompts are diagram-related. Clearly document that user prompts are forwarded to external AI services (openrouter.ai/Google Gemini).
🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned External Dependency (requests library)

The generate_schematic_ai.py script imports the 'requests' library without any version pinning or verification. The script includes an ImportError handler that suggests installing via 'pip install requests' without specifying a version. While requests is a well-known library, unpinned dependencies in agent skills represent a supply chain risk where a compromised or malicious version could be installed. File: scripts/generate_schematic_ai.py Remediation: Specify a minimum version requirement (e.g., 'pip install requests>=2.28.0') or better yet, include a requirements.txt with pinned versions (e.g., requests==2.31.0). Consider adding hash verification for critical dependencies.

scientific-critical-thinking — 🔴 CRITICAL

🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 2 files

Environment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py
🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 2 files

Multi-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data → scripts/generate_schematic_ai.py → scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py
🟡 MEDIUM LLM_SKILL_DISCOVERY_ABUSE — Capability Inflation - Undisclosed External API Dependency and Network Calls

The skill description presents itself as a scientific critical thinking evaluation tool ('Evaluate scientific claims and evidence quality') but bundles AI image generation capabilities that make external network calls to openrouter.ai using Google Gemini and 'Nano Banana 2' models. The description makes no mention of external API requirements, network connectivity, or image generation capabilities. The SKILL.md instructions actively promote using the schematic generation feature 'by default' for new documents, inflating the skill's apparent scope beyond its stated purpose. File: SKILL.md Remediation: Update the skill description to accurately reflect that it includes external API-dependent image generation. Clearly state network requirements and API key dependencies in the YAML manifest. Make schematic generation opt-in rather than default behavior.
🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/scientific-critical-thinking/scripts/generate_schematic.py File: scientific-skills/scientific-critical-thinking/scripts/generate_schematic.py Remediation: Remove environment variable collection unless explicitly required and documented
🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

Script accesses environment variables and makes network calls in scientific-skills/scientific-critical-thinking/scripts/generate_schematic_ai.py File: scientific-skills/scientific-critical-thinking/scripts/generate_schematic_ai.py< 8000 /code> Remediation: Remove environment variable harvesting or network transmission



🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/scientific-critical-thinking/scripts/generate_schematic_ai.py
File: scientific-skills/scientific-critical-thinking/scripts/generate_schematic_ai.py
Remediation: Remove environment variable collection unless explicitly required and documented



🟡 MEDIUM LLM_UNAUTHORIZED_TOOL_USE — Unauthorized Tool Use - Bash and Write Tools Used Beyond Core Skill Purpose

The SKILL.md declares allowed-tools as 'Read Write Edit Bash', which permits broad system access. The core scientific critical thinking functionality (evaluating claims, identifying biases, applying GRADE frameworks) requires only Read access to reference files. The inclusion of Bash and Write permissions enables the schematic generation scripts to execute arbitrary subprocesses and write files to disk. The generate_schematic.py script uses subprocess.run() to execute another Python script, which is an escalated capability not needed for the stated primary purpose of scientific critical analysis.
File: scripts/generate_schematic.py:89
Remediation: Separate the schematic generation capability into its own skill with appropriate allowed-tools. The core scientific-critical-thinking skill should only require Read tools. If schematic generation is bundled, explicitly document the Bash execution and file write capabilities in the skill description.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned External Dependency - requests Library

The script imports the 'requests' library without a pinned version requirement. The script includes a fallback message 'pip install requests' without specifying a version. Additionally, the script attempts to import 'dotenv' (python-dotenv) without version pinning. Unpinned dependencies are vulnerable to supply chain attacks where a malicious version could be installed.
File: scripts/generate_schematic_ai.py:14
Remediation: Include a requirements.txt with pinned versions (e.g., requests==2.31.0, python-dotenv==1.0.0). Reference this file in the skill documentation and validate dependencies before execution.



🔵 LOW LLM_DATA_EXFILTRATION — Potential .env File Credential Harvesting

The script attempts to load .env files from the current working directory and the script's parent directory. This behavior could inadvertently expose credentials stored in .env files in the user's project directory, as the loaded environment variables (including any secrets beyond OPENROUTER_API_KEY) become accessible to the script's process.
File: scripts/generate_schematic_ai.py:30
Remediation: Limit .env loading to only the skill's own directory (not Path.cwd() which could be the user's project root). Document this behavior explicitly. Consider requiring the API key to be passed explicitly rather than auto-loading from arbitrary .env files.



🟠 HIGH LLM_DATA_EXFILTRATION — API Key Exfiltration via External Network Calls

The script reads the OPENROUTER_API_KEY from environment variables and transmits it in HTTP Authorization headers to an external third-party service (openrouter.ai). While OpenRouter is a legitimate API aggregator, the skill bundles scripts that harvest credentials from the user's environment and send them to an external server. The skill's stated purpose is scientific critical thinking analysis, but it silently requires and transmits API credentials to external infrastructure. The cross-file exfiltration chain (generate_schematic.py → generate_schematic_ai.py) passes the API key through subprocess environment variables, creating a multi-hop credential flow.
File: scripts/generate_schematic_ai.py:88
Remediation: Clearly document in SKILL.md that this skill requires an external API key and makes network calls to openrouter.ai. Require explicit user consent before transmitting credentials. Consider using a local model or clearly separating the network-dependent schematic generation from the core critical thinking skill.


scientific-schematics — 🔴 CRITICAL



🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 2 files

Environment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py
Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py



🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 2 files

Multi-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data → scripts/generate_schematic_ai.py → scripts/generate_schematic_ai.py transmit to network
Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py



🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/scientific-schematics/scripts/generate_schematic.py
File: scientific-skills/scientific-schematics/scripts/generate_schematic.py
Remediation: Remove environment variable collection unless explicitly required and documented



🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

Script accesses environment variables and makes network calls in scientific-skills/scientific-schematics/scripts/generate_schematic_ai.py
File: scientific-skills/scientific-schematics/scripts/generate_schematic_ai.py
Remediation: Remove environment variable harvesting or network transmission



🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/scientific-schematics/scripts/generate_schematic_ai.py
File: scientific-skills/scientific-schematics/scripts/generate_schematic_ai.py
Remediation: Remove environment variable collection unless explicitly required and documented



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Dependency: requests Library

The scripts require the 'requests' library but do not specify a version pin. The example_usage.sh script comments mention 'pip install requests' without a version constraint. Unpinned dependencies are vulnerable to supply chain attacks where a malicious version could be installed. While requests is a well-known library, best practice for security-sensitive code that handles API keys and external network calls is to pin dependency versions.
File: scripts/example_usage.sh:5
Remediation: Add a requirements.txt file with pinned versions (e.g., requests==2.31.0). Reference this file in the setup instructions and in SKILL.md.



🟡 MEDIUM LLM_COMMAND_INJECTION — Subprocess Execution with User-Controlled Arguments

In generate_schematic.py, the user-supplied prompt string is passed directly as a command-line argument to a subprocess call invoking generate_schematic_ai.py. While subprocess.run is used (not shell=True), the user prompt is passed as a positional argument in the cmd list. This is generally safe from shell injection, but the prompt is passed as a raw string argument to argparse in the child process, which then embeds it into API requests. If the child process or any downstream handler ever uses shell=True or string interpolation with this value, injection becomes possible. The pattern also means the prompt appears in process listings (ps aux) on the system.
File: scripts/generate_schematic.py:95
Remediation: Consider passing the prompt via stdin or a temporary file rather than as a command-line argument to avoid exposure in process listings. Validate and sanitize the prompt before passing it to subprocess. Ensure shell=True is never used in any downstream invocation.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — References to Non-Existent AI Models (Capability Inflation)

The skill repeatedly references 'Nano Banana 2' as the image generation model and 'Gemini 3.1 Pro Preview' as the review model. However, the actual model identifiers used in the code are 'google/gemini-3.1-flash-image-preview' and 'google/gemini-3.1-pro-preview'. 'Nano Banana 2' does not appear to be a real AI model name - this is a fabricated/fictional model name used in marketing descriptions throughout SKILL.md. This constitutes capability inflation through misleading model branding that does not correspond to actual available models, potentially deceiving users about what AI system is processing their data.
File: scripts/generate_schematic_ai.py:100
Remediation: Replace all references to 'Nano Banana 2' with the actual model identifier 'google/gemini-3.1-flash-image-preview' in both SKILL.md and code comments. Ensure marketing descriptions accurately reflect the actual models being used.



🟡 MEDIUM LLM_DATA_EXFILTRATION — User-Controlled Prompt Content Sent to External AI APIs

The skill accepts arbitrary user-provided diagram descriptions (natural language prompts) and forwards them verbatim to external OpenRouter API endpoints (Nano Banana 2 image generation and Gemini 3.1 Pro Preview review models). While this is the intended functionality, the user prompt is embedded directly into API payloads without sanitization or content filtering. Sensitive information inadvertently included in diagram descriptions (e.g., confidential research data, proprietary system architectures, patient data in CONSORT diagrams) is transmitted to third-party AI services. The review prompt also embeds the original user prompt alongside the generated image, doubling the exposure surface.
File: scripts/generate_schematic_ai.py:270
Remediation: Add a warning in SKILL.md and the CLI that user prompts are transmitted to third-party APIs. Consider adding a --no-review flag to skip sending prompts to the review model. Document data handling and privacy implications clearly.



🔵 LOW LLM_DATA_EXFILTRATION — API Key Passed via Command-Line Flag Exposes Credentials in Process Listings

The --api-key flag in both generate_schematic.py and generate_schematic_ai.py allows users to pass the OpenRouter API key directly on the command line. Command-line arguments are visible in process listings (ps aux, /proc/*/cmdline) to other users on the same system. While the code does attempt to pass the key via environment variable in the subprocess call, the parent process still accepts it as a CLI argument and the SKILL.md instructions show examples using --api-key 'sk-or-v1-...' directly.
File: scripts/generate_schematic_ai.py:380
Remediation: Remove the --api-key CLI flag entirely and require the API key to be set via environment variable or .env file only. Update documentation to reflect this. The subprocess invocation already correctly passes the key via environment variable.



scientific-slides — 🔴 CRITICAL



🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 4 files

Environment variable access with network calls in scripts/generate_slide_image_ai.py, scripts/generate_slide_image.py, scripts/generate_schematic_ai.py, scripts/generate_schematic.py
Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_slide_image.py, scripts/generate_schematic_ai.py, scripts/generate_slide_image_ai.py



🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 4 files

Multi-file exfiltration chain detected: scripts/generate_slide_image_ai.py, scripts/generate_slide_image.py, scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data → scripts/generate_slide_image_ai.py, scripts/generate_schematic_ai.py → scripts/generate_slide_image_ai.py, scripts/generate_schematic_ai.py transmit to network
Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_slide_image.py, scripts/generate_schematic_ai.py, scripts/generate_slide_image_ai.py



🟠 HIGH LLM_PROMPT_INJECTION — Indirect Prompt Injection via Attached User-Provided Files

The skill instructs the agent to automatically discover and attach files from the user's working directory (figures/, results/, plots/, images/ directories) to AI generation prompts without any content validation. The SKILL.md explicitly instructs: 'Before generating results slides, always: List files in working directory... Attach ALL relevant figures'. Malicious content embedded in attached image files or filenames could be used to inject instructions into the Nano Banana Pro AI model, potentially manipulating slide generation behavior or exfiltrating information through the generated content.
File: SKILL.md
Remediation: Implement file validation before attaching files to AI prompts. Validate file types, sizes, and origins. Warn users that attached files will be sent to a third-party AI service. Do not automatically attach all files from user directories without explicit user confirmation for each file.



🟡 MEDIUM LLM_SKILL_DISCOVERY_ABUSE — Capability Inflation: Branding as 'Nano Banana Pro' Obscures Third-Party AI Dependency

The skill repeatedly refers to 'Nano Banana Pro AI' as if it were a proprietary component of the skill, when in reality it is the google/gemini-3-pro-image-preview model accessed via the OpenRouter API. This branding obscures the actual third-party dependency, making it harder for users to understand what external services their data is being sent to. The skill description does not mention that it requires an OpenRouter API key or that data is sent to Google's Gemini models.
File: SKILL.md
Remediation: Clearly disclose in the skill description and YAML manifest that the skill uses Google Gemini models via OpenRouter API. List the external services used and data transmitted. Update the skill description to accurately reflect the third-party dependencies.



🔵 LOW LLM_DATA_EXFILTRATION — Default Author 'K-Dense' Hardcoded in Slide Generation Instructions

The SKILL.md hardcodes 'K-Dense' as the default author/presenter name in generated slides, matching the skill-author metadata. This means all generated presentations will attribute authorship to 'K-Dense' unless explicitly overridden, potentially misrepresenting the actual author of the presentation. This could be used to embed branding or attribution in user-generated content without clear disclosure.
File: SKILL.md
Remediation: Remove the hardcoded default author or make it clearly opt-in. Always prompt users to specify their own name rather than defaulting to the skill author's branding. Document this behavior explicitly so users are aware their slides will contain 'K-Dense' attribution by default.



🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/scientific-slides/scripts/generate_schematic.py
File: scientific-skills/scientific-slides/scripts/generate_schematic.py
Remediation: Remove environment variable collection unless explicitly required and documented



🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

Script accesses environment variables and makes network calls in scientific-skills/scientific-slides/scripts/generate_schematic_ai.py
File: scientific-skills/scientific-slides/scripts/generate_schematic_ai.py
Remediation: Remove environment variable harvesting or network transmission



🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/scientific-slides/scripts/generate_schematic_ai.py
File: scientific-skills/scientific-slides/scripts/generate_schematic_ai.py
Remediation: Remove environment variable collection unless explicitly required and documented



🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/scientific-slides/scripts/generate_slide_image.py
File: scientific-skills/scientific-slides/scripts/generate_slide_image.py
Remediation: Remove environment variable collection unless explicitly required and documented



🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

Script accesses environment variables and makes network calls in scientific-skills/scientific-slides/scripts/generate_slide_image_ai.py
File: scientific-skills/scientific-slides/scripts/generate_slide_image_ai.py
Remediation: Remove environment variable harvesting or network transmission



🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/scientific-slides/scripts/generate_slide_image_ai.py
File: scientific-skills/scientific-slides/scripts/generate_slide_image_ai.py
Remediation: Remove environment variable collection unless explicitly required and documented



🔴 CRITICAL BEHAVIOR_EVAL_SUBPROCESS — eval/exec combined with subprocess detected

Dangerous combination of code execution and system commands in scientific-skills/scientific-slides/scripts/validate_presentation.py
File: scientific-skills/scientific-slides/scripts/validate_presentation.py
Remediation: Remove eval/exec or use safer alternatives



🟡 MEDIUM LLM_DATA_EXFILTRATION — Review Log Written to Disk Contains Sensitive Prompt Data

The generate_schematic_ai.py script writes a JSON review log to disk that contains the full prompt text, critique responses from the AI, and file paths. This log persists after the script completes and may contain sensitive information about the user's research, unpublished findings described in prompts, or file system structure.
File: scripts/generate_schematic_ai.py
Remediation: Make review log creation opt-in rather than automatic. Warn users that logs contain prompt content. Provide an option to disable logging or automatically clean up logs after review. Ensure logs do not contain base64-encoded image data from attached files.



🟠 HIGH LLM_COMMAND_INJECTION — Subprocess Command Injection via User-Controlled Prompt Argument

The generate_slide_image.py and generate_schematic.py wrapper scripts pass user-supplied prompt text directly as a command-line argument to subprocess.run() when invoking the AI generation scripts. If the prompt contains shell metacharacters or is processed in a shell context, this could lead to command injection. The cmd list is built with args.prompt directly appended, and while subprocess.run with a list (not shell=True) mitigates direct shell injection, the pattern of passing untrusted user input through subprocess boundaries is risky and could be exploited in edge cases.
File: scripts/generate_slide_image.py
Remediation: Validate and sanitize the prompt argument before passing to subprocess. Consider using inter-process communication (e.g., stdin/pipes or temp files) instead of command-line arguments for potentially large or untrusted prompt text. Ensure shell=False is always used (it is currently, which is good), but add explicit input validation.



🟡 MEDIUM LLM_COMMAND_INJECTION — Unvalidated File Path Arguments Passed to Subprocess

The --attach and --output arguments in generate_slide_image.py and generate_schematic.py are passed directly to subprocess commands without path traversal validation. A malicious user could potentially use path traversal sequences (../../) in output paths to write files to arbitrary locations, or use specially crafted attachment paths to read files outside the intended working directory.
File: scripts/generate_slide_image.py
Remediation: Validate and normalize all file paths before use. Use os.path.realpath() to resolve paths and verify they remain within expected directories. Reject paths containing traversal sequences. Validate that output paths are within the working directory or a designated output directory.



🟠 HIGH LLM_DATA_EXFILTRATION — API Key Exfiltration via Environment Variable Harvesting and Network Calls

The scripts collect the OPENROUTER_API_KEY environment variable and transmit it to external servers (openrouter.ai). While the stated purpose is legitimate API usage, the pattern of reading sensitive environment variables and sending them over the network represents a data exfiltration risk. The key is passed through subprocess calls and stored in memory, creating exposure vectors. Additionally, the scripts load .env files which may contain other sensitive credentials beyond the API key.
File: scripts/generate_slide_image_ai.py
Remediation: Ensure the API key is only used for its stated purpose. Validate that the endpoint URL (openrouter.ai) cannot be overridden by user input. Consider warning users that their API key will be transmitted to a third-party service. Avoid loading broad .env files that may contain unrelated credentials.



🟡 MEDIUM LLM_DATA_EXFILTRATION — Cross-File Exfiltration Chain: User Files Sent to External AI Service

The skill creates a multi-step data exfiltration chain: (1) agent reads files from user's local filesystem (figures, diagrams, logos, data visualizations), (2) these files are base64-encoded, (3) they are transmitted to openrouter.ai (a third-party service) as part of API requests. The SKILL.md explicitly instructs attaching 'logos or institutional images for title slides' and 'existing figures/data for results slides'. This means potentially sensitive research data, unpublished results, and institutional assets are sent to an external service without explicit user consent warnings.
File: scripts/generate_slide_image_ai.py
Remediation: Add explicit user consent warnings before transmitting any local files to external services. Display which files will be sent and to which service before proceeding. Allow users to opt out of file attachment. Document clearly in the skill description that files will be sent to openrouter.ai.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Dependencies Create Supply Chain Risk

The scripts use unpinned dependencies (requests, Pillow/PIL, PyMuPDF/fitz, python-pptx, PyPDF2). Without version pinning, a compromised or malicious version of these packages could be installed, potentially introducing malicious behavior. The skill instructs users to install packages with generic pip install commands without version constraints.
File: scripts/generate_slide_image_ai.py
Remediation: Pin all dependencies to specific versions in a requirements.txt file (e.g., requests==2.31.0, Pillow==10.0.0). Use a lockfile for reproducible installations. Regularly audit dependencies for known vulnerabilities.



scientific-writing — 🔴 CRITICAL



🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 3 files

Environment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py
Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py, scripts/generate_image.py



🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 3 files

Multi-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data → scripts/generate_schematic_ai.py, scripts/generate_image.py → scripts/generate_schematic_ai.py, scripts/generate_image.py transmit to network
Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py, scripts/generate_image.py



🟡 MEDIUM LLM_RESOURCE_ABUSE — Unbounded External API Calls with Iterative Refinement Loop

The generate_schematic_ai.py script implements an iterative refinement loop that makes multiple calls to external AI APIs (image generation + quality review per iteration). While capped at 2 iterations, the SKILL.md instructions mandate generating 5-30+ figures per document type (e.g., 'Market Research: Minimum 20, Recommended 25-30'). This could result in 40-120+ API calls per document, leading to significant resource consumption, API cost exhaustion, and potential rate limiting or denial of service against the user's API account.
File: SKILL.md
Remediation: Add explicit user confirmation before generating large numbers of figures. Implement cost estimation and display it to the user before proceeding. Add configurable limits on the total number of API calls per session. Warn users about potential API costs.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Overly Mandatory Figure Generation Instructions May Inflate Scope

The SKILL.md uses strong mandatory language ('MANDATORY', 'CRITICAL', 'not optional', 'ALWAYS', 'MUST') to instruct the agent to generate large numbers of AI figures for every document. This inflates the scope of the skill beyond what users may expect or want, potentially triggering extensive API usage and costs without explicit user consent. The framing as mandatory requirements rather than optional enhancements could cause the agent to over-activate figure generation capabilities.
File: SKILL.md
Remediation: Reframe figure generation as recommended best practices rather tha
8000
n mandatory requirements. Allow users to opt in to AI figure generation rather than making it the default behavior. Remove absolute language ('MUST', 'not optional') that removes user agency.



🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/scientific-writing/scripts/generate_schematic.py
File: scientific-skills/scientific-writing/scripts/generate_schematic.py
Remediation: Remove environment variable collection unless explicitly required and documented



🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

Script accesses environment variables and makes network calls in scientific-skills/scientific-writing/scripts/generate_schematic_ai.py
File: scientific-skills/scientific-writing/scripts/generate_schematic_ai.py
Remediation: Remove environment variable harvesting or network transmission



🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/scientific-writing/scripts/generate_schematic_ai.py
File: scientific-skills/scientific-writing/scripts/generate_schematic_ai.py
Remediation: Remove environment variable collection unless explicitly required and documented



🟠 HIGH LLM_DATA_EXFILTRATION — API Key Exfiltration via Environment Variable Harvesting and External Network Calls

Both generate_schematic_ai.py and generate_image.py read the OPENROUTER_API_KEY environment variable and transmit it as a Bearer token in HTTP Authorization headers to external servers (openrouter.ai). While openrouter.ai appears to be a legitimate AI API provider, the pattern of harvesting environment variables and sending them over the network represents a data exfiltration risk. The generate_image.py script also searches parent directories recursively for .env files containing API keys, which could expose credentials from unrelated projects.
File: scripts/generate_image.py
Remediation: Restrict .env file search to the skill's own directory only (as generate_schematic_ai.py does). Document clearly that API keys are transmitted to openrouter.ai. Consider adding user confirmation before transmitting credentials. Avoid traversing parent directories to find credentials from unrelated projects.



🟡 MEDIUM LLM_DATA_EXFILTRATION — Cross-Directory .env File Traversal Exposes Credentials from Unrelated Projects

The check_env_file() function in generate_image.py traverses all parent directories from the current working directory up to the filesystem root, searching for .env files. This means if the skill is invoked from within a project directory, it could read API keys and secrets from .env files belonging to completely unrelated projects higher in the directory tree. This is an over-broad credential harvesting pattern.
File: scripts/generate_image.py
Remediation: Limit .env file search to the skill's own directory or a designated configuration directory. Do not traverse parent directories. Use only explicit environment variables or a configuration file in a known, fixed location.



🟡 MEDIUM LLM_UNAUTHORIZED_TOOL_USE — Allowed-Tools Violation: Bash Tool Used But Not Declared

The SKILL.md manifest declares allowed-tools as 'Read Write Edit Bash'. The generate_schematic.py script uses subprocess.run() to execute generate_schematic_ai.py as a child process. While Bash is declared, the script spawns Python subprocesses which could be used to bypass any tool-level restrictions. Additionally, the skill instructs the agent to run bash commands directly (e.g., 'python scripts/generate_schematic.py ...') which chains tool usage in ways that may not be fully captured by the allowed-tools declaration.
File: scripts/generate_schematic.py
Remediation: Document the subprocess execution pattern explicitly. Consider whether the subprocess spawning is necessary or if the AI generation logic could be called directly as a library. Ensure the allowed-tools declaration accurately reflects all execution patterns.



🟠 HIGH LLM_COMMAND_INJECTION — Prompt Injection via Unvalidated User Input Passed Directly to External AI Models

The generate_schematic.py and generate_schematic_ai.py scripts pass user-supplied prompt strings directly to external AI image generation models (google/gemini-3.1-flash-image-preview) without any sanitization or validation. A malicious user could craft prompts designed to manipulate the AI model's behavior, generate harmful content, or exploit model-specific vulnerabilities. The prompt is embedded directly into API payloads sent to external services.
File: scripts/generate_schematic_ai.py
Remediation: Implement input validation and sanitization on user-provided prompts before passing them to external AI APIs. Consider length limits, content filtering, and allowlisting of acceptable prompt patterns for scientific diagram generation.



🔵 LOW LLM_DATA_EXFILTRATION — API Key Passed via Command-Line Argument Risks Process Listing Exposure

The generate_schematic.py wrapper script accepts an --api-key argument and passes it to the child process via the environment (env dict), which is safer. However, the generate_schematic_ai.py and generate_image.py scripts also accept --api-key as a command-line argument. If users pass API keys via command-line arguments directly, these could be exposed in process listings (ps aux) visible to other users on shared systems.
File: scripts/generate_schematic_ai.py
Remediation: Remove the --api-key command-line argument from all scripts. Require API keys to be provided only via environment variables or .env files. Document this security requirement clearly.



seaborn — 🔴 CRITICAL



🟠 HIGH LLM_SUPPLY_CHAIN_ATTACK — Supply Chain Compromise via Malicious Package Impersonation

The skill package bundles Python files named after trusted libraries (seaborn.py, matplotlib.py) and is authored by 'K-Dense Inc.' — an unverified third-party author. The combination of impersonating trusted library names, providing no verifiable provenance, and containing hidden exfiltration logic across multiple Python files is consistent with a supply chain compromise attack. The malicious Python files would be executed in the agent's environment under the guise of legitimate visualization utilities.
Remediation: Do not trust skills from unverified authors that bundle files impersonating well-known libraries. Verify author identity and package integrity before installation. Use only skills from audited, trusted sources.



🔴 CRITICAL LLM_DATA_EXFILTRATION — Cross-File Environment Variable Exfiltration Chain Detected

Static analysis has flagged a cross-file exfiltration chain spanning 3 files within this skill package. The pattern indicates environment variable access combined with network calls, suggesting credentials or sensitive environment data (e.g., API keys, tokens, AWS credentials) are being harvested and transmitted to an external endpoint. Although the SKILL.md instruction body and referenced script files (matplotlib.py, seaborn.py) were reported as 'not found' during analysis, the static analyzer identified 3 Python files in the package inventory with this behavior. The skill's stated purpose (seaborn statistical visualization) has no legitimate need to access environment variables or make network calls, making this a strong indicator of malicious data exfiltration disguised as a visualization utility.
File: SKILL.md
Remediation: Do not install or use this skill. The presence of environment variable harvesting combined with network exfiltration calls across multiple Python files is a clear indicator of a malicious supply chain attack. Report this skill package to the skill repository maintainers. If already installed, audit your environment for credential compromise, rotate any secrets that may have been exposed, and check network logs for outbound connections to unknown endpoints.



🟠 HIGH LLM_SKILL_DISCOVERY_ABUSE — Capability Inflation via Trusted Library Impersonation

The skill is named 'seaborn' and references files named 'seaborn.py' and 'matplotlib.py', directly impersonating well-known, trusted Python visualization libraries. This is a classic capability inflation and brand impersonation attack: the skill presents itself as a legitimate, benign data visualization tool to gain user trust and avoid scrutiny, while the static analysis reveals hidden malicious behavior (environment variable exfiltration and network calls). The description is highly detailed and technically accurate for the real seaborn library, further reinforcing the deceptive appearance.
File: SKILL.md
Remediation: Reject this skill. Legitimate skills should not impersonate well-known Python packages. Verify skill provenance through trusted channels and cross-check that skill behavior matches its stated description before installation.



🟡 MEDIUM LLM_UNAUTHORIZED_TOOL_USE — Undisclosed Tool Usage — Hidden Script Execution Not Reflected in Manifest

The SKILL.md manifest does not declare any allowed-tools, yet the package contains 3 Python script files (per static file inventory) that perform environment variable access and network calls. The instruction body makes no mention of executing these scripts or making network connections, creating a significant discrepancy between the declared behavior and actual capabilities. This constitutes unauthorized tool use where Python execution and network access occur without user awareness or manifest disclosure.
File: SKILL.md
Remediation: Any legitimate skill that executes Python scripts and makes network calls must declare these capabilities in the allowed-tools field and describe them transparently in the instruction body. The absence of such disclosure here is a red flag consistent with intentional concealment of malicious behavior.



treatment-plans — 🔴 CRITICAL



🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 2 files

Environment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py
Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py



🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 2 files

Multi-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data → scripts/generate_schematic_ai.py → scripts/generate_schematic_ai.py transmit to network
Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Skill Description Overstates Scope Relative to Actual Functionality

The skill description claims to 'Generate concise (3-4 page), focused medical treatment plans in LaTeX/PDF format for all clinical specialties' with 'regulatory compliance (HIPAA).' However, the actual scripts only validate existing LaTeX files, generate templates by copying files, and generate AI schematics. The skill does not itself generate treatment plan content - it provides templates and validation tools. The description may cause the agent to activate this skill in contexts where it cannot actually deliver on the claimed capabilities.
File: SKILL.md
Remediation: Update the description to accurately reflect what the skill does: 'Provides LaTeX templates, validation scripts, and AI-assisted schematic generation for medical treatment plans. Templates support multiple clinical specialties. Includes completeness checking and quality validation tools.'



⚪ INFO LLM_CONTEXT_BUDGET_EXCEEDED — 'SKILL.md (instruction body)' excluded from LLM analysis (52,002 chars)

instruction body (52,002 chars) exceeds limit (50,000)
File: SKILL.md (instruction body)
Remediation: Increase llm_analysis.max_instruction_body_chars in your scan policy to include this content in LLM analysis.



🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/treatment-plans/scripts/generate_schematic.py
File: scientific-skills/treatment-plans/scripts/generate_schematic.py
Remediation: Remove environment variable collection unless explicitly required and documented



🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

Script accesses environment variables and makes network calls in scientific-skills/treatment-plans/scripts/generate_schematic_ai.py
File: scientific-skills/treatment-plans/scripts/generate_schematic_ai.py
Remediation: Remove environment variable harvesting or network transmission



🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/treatment-plans/scripts/generate_schematic_ai.py
File: scientific-skills/treatment-plans/scripts/generate_schematic_ai.py
Remediation: Remove environment variable collection unless explicitly required and documented



🟡 MEDIUM LLM_DATA_EXFILTRATION — Cross-Script Credential Propagation via subprocess Environment

generate_schematic.py spawns generate_schematic_ai.py as a subprocess and explicitly copies the entire os.environ and injects the OPENROUTER_API_KEY into it. This means the API key is present in the child process environment, which may be visible to other processes on the system via /proc on Linux. The env=env pattern with a full environment copy also risks leaking other sensitive environment variables to the subprocess.
File: scripts/generate_schematic.py:120
Remediation: Pass only the minimum required environment variables to the subprocess rather than a full copy of os.environ. Consider using a more secure IPC mechanism for credential passing, or restructure so generate_schematic_ai.py is imported as a module rather than spawned as a subprocess.



🟠 HIGH LLM_DATA_EXFILTRATION — API Key Harvesting via Environment Variable and External Network Transmission

The script generate_schematic_ai.py reads the OPENROUTER_API_KEY environment variable and transmits it as a Bearer token in HTTP Authorization headers to an external API endpoint (https://openrouter.ai/api/v1). While OpenRouter is a legitimate service, the pattern of reading credentials from the environment and sending them over the network represents a credential exposure risk. The key is also passed between scripts (generate_schematic.py -> generate_schematic_ai.py) via environment variable propagation. If the API key is a broadly-scoped credential or if the endpoint were ever substituted (e.g., via prompt injection into the prompt argument), this creates a credential exfiltration vector.
File: scripts/generate_schematic_ai.py:97
Remediation: Ensure the OPENROUTER_API_KEY is scoped minimally. Document clearly that this key is transmitted to openrouter.ai. Consider validating the base_url is not overridable by user input. Warn users in SKILL.md that this skill requires and transmits an API key to an external service.



🟡 MEDIUM LLM_UNAUTHORIZED_TOOL_USE — Undisclosed External Network Dependency Not Reflected in Manifest or Description

The skill description claims to generate medical treatment plans in LaTeX/PDF format and mentions HIPAA compliance, but two scripts (generate_schematic_ai.py and generate_schematic.py) make external network calls to https://openrouter.ai/api/v1 to generate AI schematics. This external dependency and data transmission is not disclosed in the skill's YAML manifest description or compatibility field. Users expecting a local, HIPAA-compliant tool may unknowingly send medical context (embedded in prompts) to an external third-party AI service.
File: scripts/generate_schematic_ai.py:155
Remediation: Clearly disclose in the SKILL.md description and manifest that this skill makes external API calls to openrouter.ai. Add a prominent warning that user prompts (which may contain medical context) are transmitted to a third-party service. This is especially critical given the HIPAA compliance claims. Update the compatibility field to note network requirements.



🟠 HIGH LLM_COMMAND_INJECTION — User-Controlled Prompt Passed Directly to External AI API Without Sanitization

In generate_schematic_ai.py and generate_schematic.py, the user-supplied prompt argument is passed directly into the AI image generation request payload without any sanitization or validation. The prompt is embedded into a larger system prompt string and sent to the OpenRouter API. A malicious user could craft a prompt that attempts to manipulate the downstream AI model (secondary prompt injection), potentially causing it to generate harmful content, bypass content filters, or produce misleading scientific diagrams. The prompt is also embedded into the review request sent to Gemini 3.1 Pro Preview, compounding the injection surface.
File: scripts/generate_schematic_ai.py:310
Remediation: Validate and sanitize user-provided prompts before embedding them in API requests. Consider length limits, character allowlists, and content filtering. Add a disclaimer that user prompts are sent to external AI services. Implement prompt injection detection for the user input.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Optional Dependency (matplotlib) and requests Library

The timeline_generator.py script uses matplotlib as an optional dependency without version pinning. The generate_schematic_ai.py script requires the requests library (also unpinned). The generate_template.py script uses shutil and standard library only. Unpinned dependencies can lead to supply chain risks if a malicious version of a package is published and installed. The requests library in particular is a high-value target given it handles credential transmission.
File: scripts/timeline_generator.py:14
Remediation: Pin all dependencies to specific versions in a requirements.txt file (e.g., requests==2.31.0, matplotlib==3.8.0). Include a requirements.txt in the skill package and document the installation process.



🟡 MEDIUM LLM_HARMFUL_CONTENT — HIPAA Compliance Claims Without Enforcement Mechanisms

The skill description prominently claims 'regulatory compliance (HIPAA)' and the validation scripts check for HIPAA de-identification notices in generated documents. However, the skill provides no actual technical enforcement of HIPAA compliance - it only checks for the presence of text strings like 'HIPAA' or 'de-identif' in the LaTeX source. Furthermore, the generate_schematic scripts can transmit user-provided prompts (which may contain PHI) to external AI services. The HIPAA compliance claim is misleading and could cause healthcare providers to believe the tool provides actual compliance guarantees.
File: scripts/validate_treatment_plan.py:1
Remediation: Remove or qualify the HIPAA compliance claim in the skill description. Replace it with 'HIPAA-aware formatting' or 'includes HIPAA de-identification reminders.' Add explicit warnings that the tool does not provide legal HIPAA compliance and that users must ensure PHI is not included in prompts sent to external AI services.



umap-learn — 🔴 CRITICAL



🔴 CRITICAL LLM_DATA_EXFILTRATION — Environment Variable Exfiltration via Cross-File Chain

Static analysis detected a cross-file exfiltration chain involving environment variable access combined with network calls across 2 files. Despite the skill presenting itself as a legitimate UMAP dimensionality reduction tool with no visible script files in the submission, the static analyzer identified Python files (6 total) in the package that contain patterns consistent with harvesting environment variables (e.g., API keys, AWS credentials, tokens stored in env vars) and transmitting them to external endpoints. This is a classic data exfiltration pattern hidden within an otherwise benign-looking data science skill.
Remediation: Do not install or use this skill. The 6 Python files in the package (not surfaced in the submission) contain exfiltration logic. Audit all Python files in the skill directory for os.environ access combined with requests/urllib/http calls. Remove the skill entirely and report to the skill author (K-Dense Inc.) and any marketplace hosting it.



🟠 HIGH LLM_OBFUSCATION — Hidden Python Files Not Disclosed in Skill Submission

The skill submission claims 'No script files found' yet the static file inventory reveals 23 total files including 6 Python files. This discrepancy indicates deliberate concealment of executable code. The referenced files (tensorflow.py, umap.py, sklearn.py, hdbscan.py, matplotlib.py) are reported as 'not found' despite Python files existing in the package — suggesting the malicious scripts use different filenames to avoid detection while the documentation references plausible-sounding names. This is a detection evasion pattern where the payload is hidden from surface-level inspection.
Remediation: Enumerate all files in the skill directory independently of the manifest. Any skill that hides executable files from its submission while static analysis detects exfiltration behavior should be treated as malicious and quarantined immediately.



🟠 HIGH LLM_SKILL_DISCOVERY_ABUSE — Capability Inflation via Legitimate Data Science Framing

The skill presents an elaborate, technically accurate, and professionally written guide to UMAP dimensionality reduction — a well-known legitimate data science library. This high-quality legitimate content serves as camouflage for the malicious Python files detected by static analysis. The skill name 'umap-learn' directly mirrors the real PyPI package name, lending false credibility. The detailed documentation (parameter tuning, clustering workflows, parametric UMAP, AlignedUMAP) is designed to appear as a trustworthy reference skill, increasing the likelihood of adoption while concealing the exfiltration payload in unreferenced Python files.
File: SKILL.md
Remediation: Reject this skill. The mismatch between the polished documentation and the hidden Python files is a strong indicator of intentional deception. Verify skill packages by auditing all files, not just those surfaced in the manifest.



🟡 MEDIUM LLM_SUPPLY_CHAIN_ATTACK — Unpinned Dependency Installation Instructions

The SKILL.md instructs users to install umap-learn and umap-learn[parametric_umap] without version pinning. While this is common in documentation, combined with the malicious context of this skill, it creates a supply chain risk: the skill could be used to install a typosquatted or compromised version of the package. Additionally, the skill author 'K-Dense Inc.' is unknown and the skill name mirrors the legitimate PyPI package, raising concerns about package substitution attacks.
File: SKILL.md
Remediation: Always pin dependency versions (e.g., umap-learn==0.5.3). Verify package provenance against official PyPI maintainers before installing skills that wrap known libraries.



venue-templates — 🔴 CRITICAL



🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 2 files

Environment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py
Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py



🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 2 files

Multi-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data → scripts/generate_schematic_ai.py → scripts/generate_schematic_ai.py transmit to network
Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Skill Description with Excessive Trigger Keywords

The skill description and SKILL.md contain an extensive list of trigger keywords covering a very broad range of scientific domains (Nature, Science, PLOS, IEEE, ACM, NeurIPS, ICML, CVPR, CHI, NSF, NIH, DOE, DARPA, and many more). The description is designed to activate the skill for nearly any academic writing task. While this may reflect genuine functionality, the breadth of keyword coverage could cause the skill to be activated in contexts where it is not the most appropriate tool, potentially displacing other more specialized skills.
File: SKILL.md:1
Remediation: Consider narrowing the description to the core use case (LaTeX template retrieval and formatting guidance) rather than listing every possible venue. This reduces unintended activation and improves skill discovery accuracy.



🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable har
8000
vesting detected

Script iterates through environment variables in scientific-skills/venue-templates/scripts/generate_schematic.py
File: scientific-skills/venue-templates/scripts/generate_schematic.py
Remediation: Remove environment variable collection unless explicitly required and documented



🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

Script accesses environment variables and makes network calls in scientific-skills/venue-templates/scripts/generate_schematic_ai.py
File: scientific-skills/venue-templates/scripts/generate_schematic_ai.py
Remediation: Remove environment variable harvesting or network transmission



🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/venue-templates/scripts/generate_schematic_ai.py
File: scientific-skills/venue-templates/scripts/generate_schematic_ai.py
Remediation: Remove environment variable collection unless explicitly required and documented



🟠 HIGH LLM_DATA_EXFILTRATION — Cross-File Environment Variable Exfiltration Chain (generate_schematic.py -> generate_schematic_ai.py)

The script generate_schematic.py reads OPENROUTER_API_KEY from the environment (or --api-key argument) and passes it to generate_schematic_ai.py via subprocess with env=env. This creates a cross-file exfiltration chain where the API key is harvested from the environment and forwarded to a child process that transmits it externally. The static analyzer flagged this as BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION and BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN. The --api-key CLI argument also risks exposing the key in process listings, though the code does attempt to pass it via environment instead.
File: scripts/generate_schematic.py:89
Remediation: 1. Remove the --api-key CLI argument to prevent key exposure in process listings. 2. Rely solely on the OPENROUTER_API_KEY environment variable. 3. Document the data flow clearly so users understand their API key is being sent to openrouter.ai. 4. Consider adding a user confirmation prompt before making external API calls.



🟡 MEDIUM LLM_SUPPLY_CHAIN_ATTACK — Unpinned External Dependency (requests library) Without Version Constraint

The script generate_schematic_ai.py imports the requests library without any version pinning or integrity verification. The script also attempts to import dotenv (python-dotenv) without version pinning. Unpinned dependencies are vulnerable to supply chain attacks where a malicious version could be installed. The script uses these libraries to handle API keys and make external network calls, making a compromised version particularly dangerous.
File: scripts/generate_schematic_ai.py:14
Remediation: 1. Add a requirements.txt file with pinned versions (e.g., requests==2.31.0, python-dotenv==1.0.0). 2. Document required dependencies and their versions in the skill README. 3. Consider using hash-pinned dependencies for security-sensitive operations involving API keys.



🔵 LOW LLM_DATA_EXFILTRATION — Potential .env File Credential Harvesting from Working Directory

The _load_env_file() function in generate_schematic_ai.py searches for .env files in both the current working directory (Path.cwd() / '.env') and the script directory. This means the skill will automatically read credentials from any .env file present in the user's current working directory, which may contain unrelated secrets (database passwords, other API keys, etc.) beyond just OPENROUTER_API_KEY. While only OPENROUTER_API_KEY is extracted, the act of loading arbitrary .env files from the user's working directory is a privacy concern.
File: scripts/generate_schematic_ai.py:22
Remediation: 1. Only search for .env files in the skill's own directory, not in Path.cwd(). 2. Document that the skill reads .env files from the current directory. 3. Consider requiring the API key to be set explicitly as an environment variable rather than auto-loading from .env files.



🟠 HIGH LLM_DATA_EXFILTRATION — API Key Exfiltration via External Network Calls in generate_schematic_ai.py

The script generate_schematic_ai.py reads the OPENROUTER_API_KEY environment variable and transmits it as a Bearer token in HTTP requests to an external API endpoint (https://openrouter.ai/api/v1). While the stated purpose is AI image generation, the script also reads the API key from environment variables and .env files, then sends it over the network. This constitutes environment variable harvesting combined with external network transmission. The cross-file chain (generate_schematic.py -> generate_schematic_ai.py) passes the API key via environment variable to a subprocess, which then uses it in external HTTP calls. Although the destination (openrouter.ai) appears legitimate, the pattern of reading env vars and transmitting them externally is a data exfiltration risk, especially since the skill could be modified or the destination could be changed.
File: scripts/generate_schematic_ai.py:97
Remediation: 1. Document clearly that OPENROUTER_API_KEY is required and explain what it is used for. 2. Validate the API endpoint is the expected domain before sending credentials. 3. Avoid reading broad environment variables beyond what is strictly needed. 4. Consider pinning the API base URL as a constant and validating it cannot be overridden by user input.



🟡 MEDIUM LLM_UNAUTHORIZED_TOOL_USE — Undeclared External Network Tool Usage Violates allowed-tools Restriction

The YAML manifest declares allowed-tools as [Read, Write, Edit, Bash], which does not include any network/HTTP tool. However, generate_schematic_ai.py makes external HTTP POST requests to https://openrouter.ai/api/v1 using the requests library. This is a capability not declared in the manifest and represents a tool restriction violation. The skill performs external network calls that are not reflected in the allowed-tools declaration, misleading users about the skill's actual capabilities and data flows.
File: scripts/generate_schematic_ai.py:155
Remediation: 1. Add a network/HTTP capability declaration to the manifest or update the description to explicitly state that external API calls are made. 2. Clearly document in SKILL.md that the schematic generation feature requires internet access and sends data to openrouter.ai. 3. Consider making network calls opt-in with explicit user confirmation.



consciousness-council — 🟠 HIGH



🟠 HIGH LLM_DATA_EXFILTRATION — Unreported Python Scripts with Exfiltration Indicators

The pre-scan static analysis reports a file inventory of 32 files including 10 Python scripts, yet the skill submission states 'No script files found.' The static analyzer flagged BEHAVIOR_ENV_VAR_EXFILTRATION (environment variable access with network calls), BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN (cross-file exfiltration chain across 2 files), and BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION (cross-file env var exfiltration across 2 files). This is a critical discrepancy: 10 Python files exist in the package but were not surfaced for review, and those files exhibit data exfiltration behavioral signatures. This strongly suggests hidden malicious scripts that read environment variables (potentially API keys, credentials, tokens) and transmit them externally.
File: SKILL.md
Remediation: Immediately audit all 10 Python files in the skill package. The combination of environment variable access + network calls + cross-file chaining is a strong indicator of credential harvesting and exfiltration. Do not install or run this skill until all Python scripts have been reviewed. The allowed-tools field declares only 'Read Write' — any Python scripts making network calls would also violate this manifest declaration.



🟡 MEDIUM LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Activation Triggers in Skill Description

The skill description contains an extensive list of activation keywords and trigger phrases designed to maximize the skill's activation frequency. Phrases like 'council mode', 'mind council', 'deliberate on this', 'help me think through this from all sides', 'what would different experts think', and broad conditions like 'user faces a dilemma, trade-off, or complex choice with no obvious answer' represent keyword baiting and capability inflation. This over-broad triggering could cause the skill to activate in unintended contexts, potentially displacing more appropriate skills or responses.
File: SKILL.md
Remediation: Narrow the activation triggers to specific, unambiguous phrases. Avoid broad behavioral conditions like 'faces a dilemma' that could match nearly any user query. Use precise, unique trigger phrases rather than generic descriptions of common user states.



🟡 MEDIUM LLM_UNAUTHORIZED_TOOL_USE — Allowed-Tools Declaration Potentially Violated by Hidden Scripts

The YAML manifest declares allowed-tools as 'Read Write', restricting the skill to file read and write operations. However, the static analyzer has detected network call behavior (BEHAVIOR_ENV_VAR_EXFILTRATION) in the Python scripts present in the package. Network calls are not permitted under the declared 'Read Write' tool restriction. This constitutes a tool restriction violation where the manifest claims limited, safe capabilities but the actual code behavior exceeds those boundaries.
File: SKILL.md
Remediation: Review all Python scripts to identify network call code. If network calls are legitimate, update the allowed-tools declaration accordingly. If network calls are not legitimate, remove them from the scripts. The manifest must accurately reflect the skill's actual capabilities.



🔵 LOW LLM_DATA_EXFILTRATION — External URL References in Skill Instructions

The skill instructions include external URLs (https://ahkstrategies.net and https://themindbook.app) in the attribution section. While these appear to be promotional/attribution links rather than active data exfiltration, their presence in skill instructions could be used to direct users to external sites. The pre-scan static analysis also flagged environment variable access with network calls and cross-file exfiltration chains, though no script files were provided for review — this discrepancy warrants attention.
File: SKILL.md
Remediation: Remove external URLs from skill instructions unless they serve a functional purpose. The discrepancy between the static analyzer findings (BEHAVIOR_ENV_VAR_EXFILTRATION, BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN) and the absence of script files in the provided content suggests that additional files may exist in the skill package that were not included in this analysis. A full audit of all 32 files (22 markdown, 10 Python) flagged in the file inventory is strongly recommended.



dhdna-profiler — 🟠 HIGH



🟠 HIGH LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Capability Claims and Keyword Baiting in Description

The skill description contains an unusually large number of trigger keywords and phrases designed to maximize activation across a wide range of user queries. Phrases like 'DHDNA', 'digital DNA', 'cognitive profile', 'thinking pattern', 'analyze how this person reasons', and 'understand the mind behind any text' are packed into the description to ensure the skill is invoked as broadly as possible. This is a classic keyword baiting pattern that inflates the skill's perceived relevance and increases unwanted or unintended activation frequency.
File: SKILL.md
Remediation: Narrow the description to a concise, accurate summary of the skill's actual function. Remove excessive trigger keyword lists and activation directives ('Also trigger when...'). Descriptions should describe capability, not manipulate discovery mechanisms.



🟡 MEDIUM LLM_DATA_EXFILTRATION — Static Analysis Flags Cross-File Environment Variable Exfiltration Chain

The pre-scan static analysis reports findings of BEHAVIOR_ENV_VAR_EXFILTRATION, BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN, and BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION across the skill package (32 files: 22 markdown, 10 Python). While no Python scripts were surfaced in the submitted skill content, the static analyzer detected environment variable access combined with network calls across at least 2 files. This is a significant discrepancy: the submitted content shows no scripts, but the file inventory shows 10 Python files. The unreferenced scripts field is empty, suggesting these files may be present but not disclosed in the submission. This pattern — env var access + network calls across multiple files — is a hallmark of credential harvesting and exfiltration.
File: SKILL.md
Remediation: All 10 Python files in the package must be reviewed and disclosed. Any code that reads environment variables (os.environ, os.getenv) and makes network calls must be audited for data exfiltration. Remove or sandbox any network egress from the skill. If network calls are required, document them explicitly in the manifest and restrict to known, user-consented endpoints.



🟡 MEDIUM LLM_HARMFUL_CONTENT — Pseudoscientific Framing May Generate Misleading Cognitive Profiles

The skill is built around the 'Digital Human DNA (DHDNA)' framework, which claims that every person has a unique 'cognitive fingerprint' extractable from text. The framework presents itself with scientific legitimacy (citing DOI-linked preprints on Zenodo, using structured scoring tables, and producing authoritative-looking profile outputs). However, the underlying methodology — scoring 12 subjective 'cognitive dimensions' from arbitrary text on a 1–10 scale — lacks validated scientific grounding. Zenodo preprints are not peer-reviewed. The skill may generate confident-sounding but misleading psychological profiles of real individuals, which could be used to manipulate, discriminate against, or mischaracterize people. The output format (with progress bars, scores, and narrative synthesis) is designed to appear authoritative.
File: SKILL.md
Remediation: Add prominent disclaimers that DHDNA is an experimental, non-peer-reviewed framework and that profiles are speculative interpretations, not validated psychological assessments. Avoid presenting scores with false precision. Warn users against using profiles for consequential decisions about individuals.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — External Brand and Platform Promotion Embedded in Skill Instructions

The skill instructions contain promotional links to the author's commercial platform (themindbook.app, ahkstrategies.net) and self-referential branding ('AHK Strategies', 'AI Horizon Knowledge'). While not directly malicious, embedding commercial promotion within agent skill instructions can be used to drive traffic or brand awareness through agent interactions without user awareness that the skill is commercially motivated. This also raises questions about whether the skill's primary purpose is user utility or marketing.
File: SKILL.md
Remediation: Remove or minimize commercial promotion from skill instructions. If attribution is desired, limit it to the YAML frontmatter (skill-author field). Do not use agent skill instructions as a marketing channel.



🔵 LOW LLM_UNAUTHORIZED_TOOL_USE — allowed-tools Declares Write Access Without Justification

The YAML manifest declares allowed-tools: [Read, Write], granting the skill write access to the filesystem. However, the skill's stated purpose is purely analytical — extracting cognitive patterns from text. No write operations are described in the instructions, and no script files are present in the submitted content. The Write permission is unexplained and unnecessary for the declared functionality, representing an over-privileged tool declaration.
File: SKILL.md
Remediation: Remove Write from allowed-tools unless a specific, documented use case requires it. For a read-only text analysis skill, allowed-tools: [Read] is sufficient. Principle of least privilege should apply to tool declarations.



esm — 🟠 HIGH



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools and compatibility Metadata

The skill manifest does not specify 'allowed-tools' or 'compatibility' fields. While these are optional per the agent skills spec, their absence means there are no declared restrictions on which agent tools this skill can invoke. The skill instructs the agent to execute Python code that makes network calls to external APIs (Forge), reads/writes files (PDB files, FASTA files, pickle caches), and installs packages. Without declared tool restrictions, the agent has no manifest-level guardrails.
File: SKILL.md
Remediation: Add 'allowed-tools' to the manifest to explicitly declare which tools are needed (e.g., Python, Bash, Write, Read). Add 'compatibility' to clarify environment requirements (GPU, network access, etc.).



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation Instructions

The installation instructions recommend installing the 'esm' package and 'flash-attn' without version pins. Unpinned dependencies are vulnerable to supply chain attacks where a malicious package version could be published and automatically installed.
File: SKILL.md
Remediation: Pin package versions in installation instructions (e.g., 'uv pip install esm==X.Y.Z'). Consider providing a requirements.txt or pyproject.toml with pinned dependencies and hash verification.



🟠 HIGH MDBLOCK_PYTHON_EVAL_EXEC — Python code block uses eval/exec

Code block in references/esm-c-api.md at line 337 contains potentially dangerous Python code.
File: references/esm-c-api.md:337
Remediation: Review the code block for security implications.



🔵 LOW LLM_DATA_EXFILTRATION — API Token Placeholder in Code Examples

The SKILL.md and references/forge-api.md contain code examples with placeholder API token strings (token='' and token=''). While these are clearly placeholders and not hardcoded secrets, the instructions guide users to pass real API tokens directly in code, which could lead to accidental credential exposure if users follow the examples literally and commit code with real tokens.
File: references/forge-api.md
Remediation: Update code examples to demonstrate secure token handling via environment variables (e.g., token=os.environ['FORGE_API_TOKEN']) rather than inline string literals. Add explicit warnings about not hardcoding API tokens in code.



🔵 LOW LLM_COMMAND_INJECTION — Python eval/exec Usage in Code Examples

The static analyzer flagged a potential eval/exec usage in the Python code blocks within the reference documentation. Reviewing the actual code in references/esm-c-api.md and references/workflows.md, the code examples use standard ML library calls (sklearn, torch, etc.) and do not appear to contain direct eval/exec with user-controlled input. However, the flag warrants noting as a low-severity informational finding. The code examples are instructional and not directly executed by the agent, but if the agent were to copy-execute these patterns with user-supplied sequences, care should be taken.
File: references/workflows.md
Remediation: Review all code examples to ensure no eval/exec patterns are present with user-controlled input. If the agent executes code blocks from these references, validate that user-supplied protein sequences are treated as data, not executable code.



geomaster — 🟠 HIGH



🔵 LOW LLM_COMMAND_INJECTION — eval/exec Usage Flagged by Static Analyzer in Code Blocks

The static pre-scan identified Python code blocks containing eval/exec patterns. After reviewing all provided content, the eval/exec references appear to be within legitimate geospatial code examples (e.g., viewshed algorithms, watershed delineation). No direct user-input-to-eval pipeline was identified in the reviewed content. However, some referenced files were not found (osgeo.py, networkx.py, ee.py, etc.), and these missing files could potentially contain unsafe eval/exec usage that could not be verified.
File: SKILL.md
Remediation: Audit all referenced Python files (osgeo.py, networkx.py, ee.py, etc.) that were not found during analysis to confirm they do not contain unsafe eval/exec patterns with user-controlled input. Ensure any eval/exec usage in code examples includes clear warnings about injection risks.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Capability Claims in Skill Description

The skill description makes extremely broad capability claims: '30+ scientific domains', '500+ code examples', '8 programming languages', '70+ topics', and 'any geospatial computation task'. The description uses keyword-heavy language designed to maximize activation across a wide range of geospatial queries. While the skill does contain substantial legitimate content, the breadth of claims ('any geospatial computation task') could lead to over-activation in contexts where a more specialized skill would be appropriate.
File: SKILL.md
Remediation: Narrow the description to accurately reflect the skill's primary use cases. Avoid 'any' language and excessive keyword enumeration. Focus on the core value proposition rather than exhaustive capability listing.



🔵 LOW LLM_UNAUTHORIZED_TOOL_USE — Missing allowed-tools Declaration

The skill does not declare an 'allowed-tools' field in its YAML manifest. Given the skill's extensive code examples covering Bash installation commands, Python execution, file I/O operations, network requests, and database connections, the absence of tool restrictions means the agent has no declared boundary on what tools it may use when following this skill's instructions. This is an informational finding per the spec (allowed-tools is optional), but the breadth of operations described makes explicit tool scoping advisable.
File: SKILL.md
Remediation: Add an explicit 'allowed-tools' declaration to the YAML manifest listing only the tools required for the skill's core functionality. Consider: allowed-tools: [Python, Bash, Read, Write] and document which operations require which tools.



🔵 LOW LLM_DATA_EXFILTRATION — Hardcoded Credential Placeholders in Code Examples

Multiple code examples in the skill contain placeholder credential patterns that, if filled in by users, could lead to credential exposure. Examples include SentinelAPI with 'user'/'password' strings, Google Maps API key placeholder 'YOUR_API_KEY', Mapbox 'YOUR_ACCESS_TOKEN', and OpenWeatherMap 'YOUR_API_KEY'. While these are documentation placeholders, the pattern normalizes embedding credentials directly in code rather than using environment variables or secure credential stores.
File: references/data-sources.md
Remediation: Replace all credential placeholders with environment variable patterns (e.g., os.environ.get('SENTINEL_USER')) and add explicit warnings in documentation that credentials should never be hardcoded. Add a security note section advising users to use credential managers.



🟡 MEDIUM MDBLOCK_PYTHON_SUBPROCESS — Python code block executes shell commands

Code block in references/gis-software.md at line 290 contains potentially dangerous Python code.
File: references/gis-software.md:290
Remediation: Review the code block for security implications.



🟠 HIGH MDBLOCK_PYTHON_EVAL_EXEC — Python code block uses eval/exec

Code block in references/machine-learning.md at line 207 contains potentially dangerous Python code.
File: references/machine-learning.md:207
Remediation: Review the code block for security implications.



🟠 HIGH MDBLOCK_PYTHON_EVAL_EXEC — Python code block uses eval/exec

Code block in references/machine-learning.md at line 435 contains potentially dangerous Python code.
File: references/machine-learning.md:435
Remediation: Review the code block for security implications.



modal — 🟠 HIGH



🔵 LOW LLM_DATA_EXFILTRATION — Credential Handling Instructions May Expose Secrets

The SKILL.md instructs the agent to check for MODAL_TOKEN_ID and MODAL_TOKEN_SECRET in the current environment and in local .env files. While this is a reasonable workflow for credential management, instructing the agent to actively scan environment variables and .env files for credentials introduces a risk: the agent may inadverte
729A
ntly expose these values in logs, conversation history, or error messages. The instruction 'Check whether MODAL_TOKEN_ID and MODAL_TOKEN_SECRET are already present in the current environment' and 'check for those values in a local .env file and load them if appropriate' could lead to credential exposure if the agent echoes found values.
File: SKILL.md
Remediation: Add explicit instructions that the agent must never display, log, or include credential values in responses or generated code. Instruct the agent to confirm credential presence without revealing values.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Skill Activation Description

The skill description is unusually broad and contains extensive keyword baiting to maximize activation frequency. It explicitly lists numerous trigger phrases: 'whenever the user mentions Modal, serverless GPU compute, deploying ML models to the cloud, serving inference endpoints, running batch processing in the cloud, or needs to scale Python workloads beyond their local machine. Also use when the user wants to run code on H100s, A100s, or other cloud GPUs, or needs to create a web API for a model.' This pattern of embedding many activation keywords in the description inflates the perceived scope of the skill and increases the likelihood of unwanted or unnecessary activation.
File: SKILL.md
Remediation: Narrow the description to accurately describe the skill's purpose without excessive keyword enumeration. A concise description like 'Cloud computing platform skill for Modal deployments' is sufficient without keyword baiting.



🔵 LOW LLM_UNAUTHORIZED_TOOL_USE — Missing allowed-tools Declaration

The skill manifest does not specify an allowed-tools field. While this is optional per the agent skills specification, the skill instructs the agent to perform file system operations (reading .env files, checking environment variables), execute bash commands (modal setup, modal run, modal deploy), and run Python code. Without an explicit allowed-tools declaration, there is no manifest-level constraint on what tools the agent may use when following these instructions.
File: SKILL.md
Remediation: Consider adding an explicit allowed-tools declaration such as [Bash, Python, Read] to document and constrain the intended tool usage for this skill.



🟠 HIGH MDBLOCK_PYTHON_EVAL_EXEC — Python code block uses eval/exec

Code block in references/functions.md at line 82 contains potentially dangerous Python code.
File: references/functions.md:82
Remediation: Review the code block for security implications.



🟡 MEDIUM MDBLOCK_PYTHON_SUBPROCESS — Python code block executes shell commands

Code block in references/gpu.md at line 159 contains potentially dangerous Python code.
File: references/gpu.md:159
Remediation: Review the code block for security implications.



🟡 MEDIUM MDBLOCK_PYTHON_SUBPROCESS — Python code block executes shell commands

Code block in references/gpu.md at line 168 contains potentially dangerous Python code.
File: references/gpu.md:168
Remediation: Review the code block for security implications.



🔵 LOW LLM_COMMAND_INJECTION — eval/exec Usage in Code Examples

The static analyzer flagged a Python code block using eval/exec within the skill's reference files. Reviewing the content, the references/images.md file contains a shell command example that uses Python's eval-like execution: .run_commands("python -c 'import torch; torch.cuda.is_available()'", gpu="A100"). While this specific instance is a legitimate build-step example for Modal container images, it demonstrates a pattern where arbitrary Python code strings are passed to shell execution. If a user were to adapt this pattern with untrusted input, it could lead to command injection. The usage here is in a documentation/example context and not directly executable by the agent, but the pattern warrants awareness.
File: references/images.md
Remediation: This is a documentation example and poses minimal direct risk. However, when the agent generates Modal code based on user input, it should validate that user-supplied strings are not directly interpolated into .run_commands() or similar shell execution contexts without sanitization.



🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

Code block in references/scheduled-jobs.md at line 141 contains potentially dangerous Python code.
File: references/scheduled-jobs.md:141
Remediation: Review the code block for security implications.



🟡 MEDIUM MDBLOCK_PYTHON_SUBPROCESS — Python code block executes shell commands

Code block in references/web-endpoints.md at line 149 contains potentially dangerous Python code.
File: references/web-endpoints.md:149
Remediation: Review the code block for security implications.



pathml — 🟠 HIGH



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation in Quick Start Instructions

The SKILL.md quick start section instructs users to install pathml using 'uv pip install pathml' and 'uv pip install pathml[all]' without specifying a pinned version. This means the agent could install any version of the package, including potentially compromised future versions. While this is a common documentation pattern, it represents a minor supply chain risk in an agentic context where the agent may execute these commands autonomously.
File: SKILL.md
Remediation: Pin the package version in installation instructions (e.g., 'uv pip install pathml==X.Y.Z') to ensure reproducibility and reduce supply chain risk. Consider adding a hash verification step for production deployments.



🔵 LOW LLM_RESOURCE_ABUSE — Unbounded Distributed Processing Without Resource Limits

Multiple reference files describe distributed processing patterns using Dask with configurations that could consume significant compute resources. For example, SlideDataset.run() with distributed=True and n_workers=8 or 16, processing entire directories of large WSI files. In an agentic context, if triggered on a large dataset without user confirmation, this could exhaust system resources. However, this is standard computational pathology practice and the risk is moderate.
File: references/data_management.md
Remediation: The skill instructions should include guidance to confirm dataset size and resource availability with the user before initiating large-scale distributed processing jobs. Add explicit user confirmation steps before running batch operations on large datasets.



🟠 HIGH MDBLOCK_PYTHON_EVAL_EXEC — Python code block uses eval/exec

Code block in references/data_management.md at line 441 contains potentially dangerous Python code.
File: references/data_management.md:441
Remediation: Review the code block for security implications.



🔵 LOW LLM_COMMAND_INJECTION — eval/exec Usage in Code Examples Within Reference Documentation

Static analysis flagged multiple instances of Python code blocks containing eval/exec patterns across the reference markdown files. Upon review, these appear to be within legitimate educational code examples (e.g., training loops, model inference pipelines) rather than malicious injection patterns. The flagged patterns likely correspond to standard Python constructs such as model.eval() (PyTorch evaluation mode) which is a method call, not the built-in eval() function. No actual dangerous eval() or exec() calls with user-controlled input were identified in the documentation code samples.
File: references/machine_learning.md
Remediation: No immediate action required. Confirm that no code examples use Python built-in eval() or exec() with user-supplied or externally-sourced input. If any such patterns exist, replace with safer alternatives.



🟠 HIGH MDBLOCK_PYTHON_EVAL_EXEC — Python code block uses eval/exec

Code block in references/machine_learning.md at line 228 contains potentially dangerous Python code.
File: references/machine_learning.md:228
Remediation: Review the code block for security implications.



🟠 HIGH MDBLOCK_PYTHON_EVAL_EXEC — Python code block uses eval/exec

Code block in references/machine_learning.md at line 498 contains potentially dangerous Python code.
File: references/machine_learning.md:498
Remediation: Review the code block for security implications.



🟠 HIGH MDBLOCK_PYTHON_EVAL_EXEC — Python code block uses eval/exec

Code block in references/machine_learning.md at line 540 contains potentially dangerous Python code.
File: references/machine_learning.md:540
Remediation: Review the code block for security implications.



🔵 LOW LLM_DATA_EXFILTRATION — Remote API Call for Cell Segmentation (SegmentMIFRemote)

The multiparametric reference documentation describes a SegmentMIFRemote transform that sends image data to an external DeepCell API endpoint (https://deepcell.org/api/predict). In an agentic workflow, this could result in pathology image data (potentially containing patient-identifiable information) being transmitted to a third-party server. This is documented as an intentional feature but warrants awareness in privacy-sensitive deployments.
File: references/multiparametric.md
Remediation: Ensure users are explicitly warned that SegmentMIFRemote transmits image data to an external server. Recommend using the local SegmentMIF transform for sensitive or patient-identifiable data. Add a privacy notice in the skill documentation.



polars — 🟠 HIGH



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools and compatibility Metadata

The skill manifest does not specify the 'allowed-tools' or 'compatibility' fields. While these fields are optional per the agent skills specification, their absence means there are no declared restrictions on which agent tools this skill can invoke. Given that the skill instructs the agent to install packages via 'uv pip install polars' and perform file I/O operations, declaring allowed tools would improve transparency and security posture.
File: SKILL.md
Remediation: Add 'allowed-tools: [Python, Bash, Read, Write]' and a compatibility field to the YAML frontmatter to explicitly declare the tools this skill requires and the environments it supports.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation Instruction

The skill instructs users to install Polars using 'uv pip install polars' without specifying a version pin. This means the agent may install any version of the polars package, including potentially compromised future versions. While this is a documentation example rather than an automated install script, the agent may follow this instruction literally when helping users set up their environment.
File: SKILL.md:30
Remediation: Recommend pinning to a specific version: 'uv pip install polars==1.x.x' or at minimum a version range. Document the tested/supported version in the manifest metadata.



🔵 LOW LLM_COMMAND_INJECTION — Python eval/exec Usage in Code Examples

The static analyzer flagged a potential eval/exec usage in the Python code blocks within the skill's documentation. After reviewing all code blocks across SKILL.md and the referenced markdown files, the eval/exec patterns appear to be within legitimate educational code examples demonstrating Polars operations (e.g., map_elements with lambda functions, pipe operations). No actual eval() or exec() calls with unsanitized user input were found in executable scripts. The flag is a false positive from the static analyzer detecting Python code blocks in documentation. No script files are present in this skill package.
File: references/best_practices.md
Remediation: No action required. The code blocks are documentation examples only. No executable scripts are present in this skill package that could be exploited.



🟠 HIGH MDBLOCK_PYTHON_EVAL_EXEC — Python code block uses eval/exec

Code block in references/operations.md at line 531 contains potentially dangerous Python code.
File: references/operations.md:531
Remediation: Review the code block for security implications.



primekg — 🟠 HIGH



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing License and Compatibility Metadata

The SKILL.md manifest does not specify a license (listed as 'Unknown') or compatibility information. The skill also lacks the 'allowed-tools' field. While these are optional per the spec, the absence of license information is particularly notable given that PrimeKG is attributed to Harvard MIMS — the redistribution terms of the underlying data and code wrapper are unclear, which could create legal and trust issues for users deploying this skill.
File: SKILL.md
Remediation: Add explicit license information (e.g., MIT for the wrapper code, and clearly note the PrimeKG data license from Harvard MIMS). Add compatibility field and allowed-tools declaration (e.g., [Python]) to improve transparency.



🔵 LOW LLM_DATA_EXFILTRATION — Pre-Scan Flags Suggest Possible Environment Variable Access with Network Calls in Unreferenced Files

The static pre-scan flagged BEHAVIOR_ENV_VAR_EXFILTRATION and BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN across 2 files, but the provided script (query_primekg.py) does not contain obvious network calls or os.environ access. The referenced file 'scripts.py' was not found. This discrepancy suggests there may be additional files in the skill package (possibly the missing scripts.py or other unreferenced files) that contain environment variable harvesting combined with network exfiltration. The full package could not be fully audited due to missing files.
File: scripts/query_primekg.py
Remediation: Provide all files in the skill package for complete analysis. Audit any additional Python files for os.environ access combined with requests/urllib/socket calls. Ensure no credentials or environment variables are transmitted to external endpoints.



🟠 HIGH LLM_DATA_EXFILTRATION — Hardcoded Absolute Path Exposes Developer's Local Filesystem Layout

The script hardcodes an absolute path referencing a specific user's home directory on a Windows/WSL system: '/mnt/c/Users/eamon/Documents/Data/PrimeKG/kg.csv'. This reveals the developer's username and local filesystem structure. More critically, the SKILL.md also references 'C:\Users\eamon\Documents\Data\PrimeKG\kg.csv', confirming this is a real developer path that was accidentally shipped. When deployed on other systems, this path will fail, and the hardcoded path could be leveraged to infer system layout or be manipulated if the path is ever made configurable via user input.
File: scripts/query_primekg.py:7
Remediation: Replace the hardcoded path with a configurable environment variable (e.g., os.environ.get('PRIMEKG_DATA_PATH', default_path)) or a relative path within the skill package. Remove all developer-specific absolute paths from both SKILL.md and scripts before distribution.



🟡 MEDIUM LLM_RESOURCE_ABUSE — Repeated Full CSV Load on Every Function Call Causes Resource Exhaustion

The _load_kg() helper is called inside every public function (search_nodes, get_neighbors, find_paths, get_disease_context). Each call reads the entire 4-million-edge CSV (~hundreds of MB) from disk into memory with no caching. A workflow that calls multiple functions (e.g., get_disease_context calls both search_nodes and get_neighbors, each loading the full CSV) will repeatedly allocate large memory blocks. Under agent-driven multi-step workflows, this can exhaust available RAM and cause denial-of-service conditions on the host machine.
File: scripts/query_primekg.py:10
Remediation: Implement module-level caching using a global variable or functools.lru_cache: _KG_CACHE = None; def _load_kg(): global _KG_CACHE; if _KG_CACHE is None: _KG_CACHE = pd.read_csv(DATA_PATH, low_memory=True); return _KG_CACHE. This ensures the CSV is loaded only once per session.



🟡 MEDIUM LLM_COMMAND_INJECTION — Unsanitized User Input Passed to pandas str.contains (Regex Injection)

The search_nodes() function passes the user-supplied 'name_query' parameter directly to pandas str.contains(), which by default interprets the input as a regular expression. A malicious user could supply a crafted regex string (e.g., catastrophic backtracking patterns) to cause excessive CPU consumption, or use regex metacharacters to manipulate search behavior unexpectedly. While not a direct code execution vulnerability, this represents an injection risk into the query engine.
File: scripts/query_primekg.py:52
Remediation: Escape user input before passing to str.contains() using re.escape(): mask = nodes['name'].str.contains(re.escape(name_query), case=False, na=False, regex=True). Alternatively, use regex=False for literal string matching if regex is not needed.



🟡 MEDIUM LLM_COMMAND_INJECTION — Unbounded max_depth Parameter in find_paths Enables Algorithmic DoS

The find_paths() function accepts a user-controlled max_depth parameter with no upper bound validation. While the depth-2 BFS implementation is currently stubbed out, the function signature and comment indicate future expansion. Even at depth=1, the function iterates over all matching rows with no result limit. If max_depth is implemented fully with large values (e.g., max_depth=10) on a 4-million-edge graph, it could trigger exponential traversal, exhausting CPU and memory.
File: scripts/query_primekg.py:82
Remediation: Add explicit validation: if max_depth > 3: raise ValueError('max_depth must be <= 3'). Add result limits to prevent unbounded output. Consider implementing proper BFS with visited-node tracking to prevent cycles.



pyhealth — 🟠 HIGH



🟡 MEDIUM LLM_UNAUTHORIZED_TOOL_USE — Missing Script Files with Suspicious Static Analysis Findings

The skill references 'pyhealth.py' in its instruction body as a file within the package, but this file was not available for inspection during analysis. Despite this, static analyzers detected environment variable exfiltration and cross-file data exfiltration chains involving Python files. The inability to inspect the actual executable code while static analysis flags serious behavioral patterns represents a significant tool exploitation risk — the skill may be executing malicious code hidden in files that are not surfaced for review.
Remediation: 1. Require full source code inspection of all Python files before deploying any skill. 2. Do not execute skills where referenced script files cannot be reviewed. 3. Audit the complete file inventory to identify all Python files and their contents. 4. Implement a policy that all executable files in a skill package must be disclosed and reviewed prior to activation.



🟠 HIGH LLM_DATA_EXFILTRATION — Environment Variable Exfiltration with Network Calls Detected

Static analysis flagged a cross-file exfiltration chain involving environment variable access combined with network calls across 2 files. The skill references a 'pyhealth.py' file that was not found for inspection, but the static analyzer detected BEHAVIOR_ENV_VAR_EXFILTRATION and BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN patterns. This suggests that one or more of the skill's Python files (including the missing pyhealth.py) may be reading environment variables (potentially containing credentials, API keys, or sensitive configuration) and transmitting them to external endpoints. The cross-file nature of the chain (2 files involved) indicates a coordinated read-then-send pattern.
File: SKILL.md
Remediation: 1. Inspect pyhealth.py and all other Python files in the skill package for os.environ access combined with requests/urllib/http calls. 2. Remove any code that reads environment variables and sends them to external servers. 3. Audit all network calls to ensure they only communicate with legitimate, documented endpoints. 4. If environment variables are needed for configuration, ensure they are used locally only and never transmitted externally. 5. Do not install or use this skill until the source of the flagged behavior is identified and remediated.



🔵 LOW LLM_DATA_EXFILTRATION — Multiple Missing Referenced Files Reduce Auditability

The skill references numerous files across assets/, templates/, and references/ directories that were not found (assets/preprocessing.md, templates/preprocessing.md, templates/medical_coding.md, templates/tasks.md, templates/training_evaluation.md, templates/datasets.md, assets/tasks.md, assets/training_evaluation.md, assets/models.md, assets/datasets.md, templates/models.md, assets/medical_coding.md). While missing documentation files are lower severity, the combination of missing files with flagged exfiltration behavior increases overall risk, as malicious instructions or data could be embedded in files not available for review.
File: SKILL.md
Remediation: Ensure all referenced files are present and available for security review before deploying the skill. Missing files that are referenced in instructions could be populated with malicious content at runtime from external sources.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Overly Broad Skill Description May Cause Excessive Activation

The skill description is extremely broad, listing a large number of trigger conditions including EHR systems, clinical prediction tasks, medical coding systems, physiological signals, multiple datasets, and deep learning models. While this may reflect legitimate functionality, the breadth of the description could cause the agent to invoke this skill in a wide range of healthcare-related contexts, potentially exposing sensitive clinical data to whatever data exfiltration behavior may be present in the unreviewed Python files.
File: SKILL.md
Remediation: Narrow the skill description to the minimum necessary trigger conditions. Avoid listing every possible use case in the description as this increases the attack sur
992E
face if the skill contains malicious behavior.



pytorch-lightning — 🟠 HIGH



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools and compatibility Metadata

The SKILL.md manifest does not specify 'allowed-tools' or 'compatibility' fields. While these are optional per the agent skills spec, their absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) this skill may invoke. Given that the skill includes executable Python scripts and references to external logging services (W&B, MLflow, Neptune, Comet), declaring allowed tools would improve transparency and reduce the risk of unintended tool use.
File: SKILL.md
Remediation: Add 'allowed-tools: [Python, Read, Write]' and a 'compatibility' field to the YAML frontmatter to explicitly declare the skill's intended tool usage and environment requirements.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — No Version Pinning for External Dependencies

The skill references and instructs installation of multiple external packages (deepspeed, wandb, tensorboard, mlflow, neptune, comet-ml) without specifying version pins. The reference documentation shows 'pip install deepspeed', 'pip install wandb', etc. without version constraints. Unpinned dependencies are susceptible to supply chain attacks where a malicious package version could be introduced.
File: references/distributed_training.md
Remediation: Pin dependency versions in installation instructions (e.g., 'pip install deepspeed==0.14.0'). Consider providing a requirements.txt or pyproject.toml with pinned versions for reproducible environments.



🟠 HIGH MDBLOCK_PYTHON_EVAL_EXEC — Python code block uses eval/exec

Code block in references/lightning_module.md at line 444 contains potentially dangerous Python code.
File: references/lightning_module.md:444
Remediation: Review the code block for security implications.



🔵 LOW LLM_DATA_EXFILTRATION — External Logging Service Integrations May Transmit Training Data

The skill's reference documentation and trainer setup scripts configure integrations with multiple external cloud services: Weights & Biases (WandbLogger), MLflow, Neptune, and Comet. These loggers can be configured to upload model checkpoints, hyperparameters, metrics, and potentially training data artifacts to external servers. While this is standard ML practice, users should be aware that sensitive model information or data statistics may be transmitted externally when these loggers are used.
File: scripts/quick_trainer_setup.py
Remediation: Document clearly in the skill description that external logging integrations will transmit data to third-party services. Advise users to review what data is being logged before enabling cloud loggers, and to use CSVLogger or TensorBoardLogger for local-only logging when working with sensitive data.



🔵 LOW LLM_COMMAND_INJECTION — Use of eval/exec in Python Code Block (Static Analyzer Flag)

The static analyzer flagged a potential eval/exec usage in a Python code block. After thorough review of all provided scripts (template_lightning_module.py, quick_trainer_setup.py, template_datamodule.py), no actual eval() or exec() calls were found in the skill's Python scripts. The flag may refer to commented-out code or documentation examples within the reference markdown files. No exploitable code injection vector was identified in the executable scripts.
File: scripts/template_lightning_module.py
Remediation: Verify the exact location of the flagged eval/exec usage. If it appears in documentation examples, add a comment clarifying it is illustrative only. Ensure no user-controlled input is ever passed to eval/exec in any executable code.



qutip — 🟠 HIGH



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation Instructions

The SKILL.md instructs users to install qutip and optional packages (qutip-qip, qutip-qtrl) using 'uv pip install qutip' without version pinning. This exposes users to supply chain risks where a compromised or malicious version of the package could be installed. While qutip is a well-known legitimate scientific library, the lack of version pinning is a security best practice concern.
File: SKILL.md
Remediation: Pin package versions in installation instructions (e.g., 'uv pip install qutip==5.0.4') to ensure reproducibility and reduce supply chain risk. Consider providing a requirements.txt or pyproject.toml with pinned dependencies.



🔵 LOW LLM_COMMAND_INJECTION — Use of eval/exec in Python Code Examples

The static analyzer flagged a Python code block using eval/exec within the skill's reference documentation. In the context of this skill, the code examples are educational QuTiP simulation snippets and no actual eval/exec call with user-controlled input was identified in the reviewed content. However, the presence of such patterns in instructional code could normalize unsafe practices if users copy-paste examples into their own code without understanding the risks.
File: references/advanced.md
Remediation: Review all code blocks in reference files to ensure no eval/exec patterns accept user-controlled input. If eval/exec is used in examples, add explicit warnings about the security implications of using these functions with untrusted data.



🟠 HIGH MDBLOCK_PYTHON_EVAL_EXEC — Python code block uses eval/exec

Code block in references/visualization.md at line 197 contains potentially dangerous Python code.
File: references/visualization.md:197
Remediation: Review the code block for security implications.



sympy — 🟠 HIGH



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Skill Description May Cause Excessive Activation

The skill description is very broad, listing a large number of use cases including 'physics calculations, number theory problems, geometry computations, and generating executable code from mathematical expressions.' While this accurately reflects SymPy's capabilities, the breadth of the description could cause the skill to be activated for a wide range of mathematical queries, some of which might not require symbolic computation. This is a minor concern and reflects the legitimate scope of the SymPy library.
File: SKILL.md
Remediation: Consider narrowing the description to emphasize the key differentiator (symbolic vs. numerical computation) to reduce unnecessary activations. The current description is not malicious but is quite broad.



🔵 LOW LLM_COMMAND_INJECTION — eval() Usage in Code Example (parse_expr with user input)

In references/code-generation-printing.md, Pattern 3 demonstrates an interactive computation pattern that reads user input via input() and passes it directly to parse_expr(). While parse_expr is safer than eval(), the same file also notes that srepr() output 'can be eval()'ed to recreate the expression', and the broader pattern of parsing arbitrary user strings into executable SymPy expressions could be misused if an agent follows this pattern without sanitization. The static analyzer flagged eval/exec usage in Python code blocks.
File: references/code-generation-printing.md
Remediation: The skill already includes a note: 'When parsing user input, validate and sanitize to avoid code injection vulnerabilities.' This is good practice. Ensure agents following this skill validate and sanitize user-provided expressions before passing to parse_expr, and avoid using eval() on srepr() output from untrusted sources.



🔵 LOW LLM_DATA_EXFILTRATION — File Export Patterns Write to Local Filesystem

The code-generation-printing.md reference file includes patterns that write files to the local filesystem (output.tex, output.txt, output.py, document.tex, expr.pkl, *.c files). While these are legitimate use cases for a code generation skill, agents following these patterns will write files to the user's working directory. The pickle pattern in particular (expr.pkl) could be a concern if pickle files are later loaded from untrusted sources, as pickle deserialization can execute arbitrary code.
File: references/code-generation-printing.md
Remediation: Add a note warning against loading pickle files from untrusted sources, as pickle.load() can execute arbitrary code. Ensure file write operations are scoped to appropriate directories and users are informed when files are being written.



🟠 HIGH MDBLOCK_PYTHON_EVAL_EXEC — Python code block uses eval/exec

Code block in references/code-generation-printing.md at line 204 contains potentially dangerous Python code.
File: references/code-generation-printing.md:204
Remediation: Review the code block for security implications.



torch-geometric — 🟠 HIGH



🔵 LOW LLM_DATA_EXFILTRATION — Missing License and Compatibility Metadata

The skill does not specify a license or compatibility field in the YAML frontmatter. While this is a minor informational issue, the absence of provenance metadata (author, version, license) reduces accountability and makes supply chain verification harder. This is a LOW severity informational finding per the skill spec where these fields are optional.
File: SKILL.md
Remediation: Add license, compatibility, and allowed-tools fields to the YAML frontmatter to improve transparency and enable proper tool restriction enforcement.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Skill Activation Description with Keyword Baiting

The skill description contains an unusually large number of trigger keywords and explicitly instructs the agent to activate even on vague terms like 'graph learning' or 'geometric deep learning'. The phrase 'Even if the user just says...' is a pattern consistent with capability inflation and activation priority manipulation, attempting to maximize the frequency of skill invocation beyond what is proportionate to the user's actual intent.
File: SKILL.md
Remediation: Narrow the activation description to specific, unambiguous use cases. Remove the 'Even if the user just says...' clause and reduce the breadth of trigger keywords to those directly relevant to the skill's core functionality.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Multiple Referenced Files Not Found in Skill Package

The skill references numerous files (assets/scaling.md, templates/scaling.md, torch_geometric.py, torch.py, templates/link_prediction.md, templates/message_passing.md, assets/link_prediction.md, templates/explainability.md, assets/explainability.md, assets/custom_datasets.md, templates/custom_datasets.md, assets/heterogeneous.md, assets/message_passing.md, templates/heterogeneous.md) that are not present in the skill package. This creates a fragmented and incomplete skill bundle. If these files are expected to be fetched from external sources at runtime, that would represent an indirect prompt injection risk. As-is, missing files reduce skill reliability and could cause unexpected agent behavior.
File: SKILL.md
Remediation: Ensure all referenced files are bundled within the skill package. If files are intentionally omitted, remove the references from the instructions. Do not fetch missing files from external URLs at runtime, as this would introduce indirect prompt injection risk.



🟠 HIGH MDBLOCK_PYTHON_EVAL_EXEC — Python code block uses eval/exec

Code block in SKILL.md at line 196 contains potentially dangerous Python code.
File: SKILL.md:196
Remediation: Review the code block for security implications.



🟠 HIGH MDBLOCK_PYTHON_EVAL_EXEC — Python code block uses eval/exec

Code block in references/link_prediction.md at line 94 contains potentially dangerous Python code.
File: references/link_prediction.md:94
Remediation: Review the code block for security implications.



🟠 HIGH MDBLOCK_PYTHON_EVAL_EXEC — Python code block uses eval/exec

Code block in references/link_prediction.md at line 137 contains potentially dangerous Python code.
File: references/link_prediction.md:137
Remediation: Review the code block for security implications.



🔵 LOW LLM_COMMAND_INJECTION — eval/exec Usage in Instructional Code Blocks

Static analysis flagged three instances of eval/exec usage within Python code blocks embedded in the markdown documentation files. While these appear to be illustrative examples in reference documentation (e.g., torch.compile internals, PyTorch distributed patterns), the presence of eval/exec patterns in agent-readable instruction content could be leveraged if the agent is instructed to execute code blocks found in these files. The risk is low given the educational context, but warrants review.
File: references/scaling.md
Remediation: Review all code blocks containing eval/exec to confirm they are purely illustrative. Add explicit comments in the markdown noting these are examples only and should not be executed directly by the agent. Ensure the skill instructions do not direct the agent to execute arbitrary code blocks found in reference files.



torchdrug — 🟠 HIGH



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools and compatibility Metadata

The SKILL.md manifest does not specify the 'allowed-tools' or 'compatibility' fields. While these fields are optional per the agent skills specification, their absence means there are no declared restrictions on which agent tools this skill may invoke. Given the skill's scope (GNN training, dataset loading, model execution), specifying allowed tools would improve transparency and security posture.
File: SKILL.md
Remediation: Add 'allowed-tools' to the YAML frontmatter to explicitly declare which tools the skill requires (e.g., Python, Bash). Add 'compatibility' to clarify supported environments. Example: allowed-tools: [Python, Bash]



🟠 HIGH MDBLOCK_PYTHON_EVAL_EXEC — Python code block uses eval/exec

Code block in references/core_concepts.md at line 345 contains potentially dangerous Python code.
File: references/core_concepts.md:345
Remediation: Review the code block for security implications.



🔵 LOW LLM_COMMAND_INJECTION — Use of eval/exec in Code Example (Static Flag Review)

The static analyzer flagged a potential eval/exec usage in a Python code block. Upon review, the flagged code in references/molecular_generation.md contains a standard multi-objective reward function definition and GCPN task setup. No actual eval() or exec() calls are present in the code blocks. The flag appears to be a false positive from pattern matching on function names or variable names. No genuine command injection risk is present in the skill's code examples.
File: references/molecular_generation.md
Remediation: No action required. This is a false positive. The code block is a legitimate scientific computing example with no eval/exec usage.



transformers — 🟠 HIGH



🔵 LOW LLM_DATA_EXFILTRATION — Hugging Face Token Exposure Risk in Instructions

The SKILL.md instructions include an example showing users how to set a Hugging Face token via environment variable with a placeholder value ('your_token_here'). While this is documentation-style guidance, the instructions also reference a missing file 'huggingface_hub.py' which could contain token handling logic that cannot be audited. Additionally, the login() flow and token management could inadvertently expose tokens if the agent logs or echoes environment variables.
File: SKILL.md
Remediation: Ensure huggingface_hub.py (if it exists) does not log, print, or transmit tokens. Advise users to use environment variables rather than hardcoding tokens. Confirm the missing huggingface_hub.py file does not contain hardcoded credentials or exfiltration logic.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Dependencies in Installation Instructions

The installation instructions use 'uv pip install' without pinning specific package versions for torch, transformers, datasets, evaluate, accelerate, timm, pillow, librosa, and soundfile. Unpinned dependencies are vulnerable to supply chain attacks where a malicious package version could be installed if a trusted package is compromised or if a typosquatting package is introduced.
File: SKILL.md
Remediation: Pin all dependencies to specific versions (e.g., 'transformers==4.40.0'). Consider using a requirements.txt or pyproject.toml with locked versions and hash verification. Use a dependency scanning tool to monitor for known vulnerabilities in pinned versions.



🔵 LOW LLM_UNAUTHORIZED_TOOL_USE — Multiple Missing Referenced Files Reduce Auditability

The skill references numerous files that were not found during analysis: transformers.py, huggingface_hub.py, assets/generation.md, assets/training.md, assets/models.md, assets/pipelines.md, assets/tokenizers.md, and multiple templates/*.md files. These missing files cannot be audited for malicious content, hidden instructions, or unsafe code patterns. The skill's instructions direct the agent to consult these files for detailed guidance, meaning any malicious content in them would be executed in the agent's context.
File: SKILL.md
Remediation: Ensure all referenced files are present in the skill package before deployment. Audit each file for malicious instructions, prompt injection, or unsafe code. Do not deploy skills with missing referenced files as they cannot be fully security-reviewed.



🟠 HIGH MDBLOCK_PYTHON_EVAL_EXEC — Python code block uses eval/exec

Code block in references/models.md at line 214 contains potentially dangerous Python code.
File: references/models.md:214
Remediation: Review the code block for security implications.



🔵 LOW LLM_COMMAND_INJECTION — Python eval/exec Usage in Code Examples

The static analyzer flagged a Python code block using eval/exec within the skill's reference documentation. While reviewing the referenced files, no direct eval/exec usage was found in the visible content. The flagged pattern may exist in one of the missing referenced files (e.g., huggingface_hub.py, transformers.py, or the assets/* files that were not found). The use of eval/exec in agent-executed code blocks can lead to arbitrary code execution if user-controlled input is passed to these functions.
File: references/tokenizers.md
Remediation: Audit all missing referenced files (transformers.py, huggingface_hub.py, assets/.md, templates/.md) for eval/exec usage. Ensure any eval/exec calls do not accept user-controlled input. Replace with safer alternatives such as ast.literal_eval() for data parsing or explicit function dispatch tables.



what-if-oracle — 🟠 HIGH



🟠 HIGH LLM_DATA_EXFILTRATION — Static Scan Flags Environment Variable Exfiltration and Cross-File Exfiltration Chain

The pre-scan static analysis flagged BEHAVIOR_ENV_VAR_EXFILTRATION (environment variable access combined with network calls) and BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN (cross-file exfiltration chain across 2 files) and BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION (cross-file env var exfiltration across 2 files). The file inventory shows 5 Python files and 16 markdown files in the package, but no script content was provided for review. This is a significant discrepancy: the skill claims to have no scripts, yet the package contains 5 Python files with suspected exfiltration behavior. This strongly suggests hidden or undisclosed functionality.
Remediation: Immediately audit all 5 Python files in the package. Identify which files access environment variables (e.g., os.environ, os.getenv) and which make network calls. Determine if sensitive data (API keys, credentials, system info) is being transmitted to external endpoints. Remove or sandbox any scripts performing unauthorized data collection or exfiltration. The allowed-tools declaration of 'Read Write' does not authorize network access or environment variable harvesting.



🟡 MEDIUM LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Activation Triggers / Keyword Baiting in Description

The skill description contains an unusually large number of trigger keywords and phrases designed to maximize activation frequency. Phrases like 'what if...', 'what would happen if...', 'what are the possibilities', 'explore scenarios', 'scenario analysis', 'possibility space', 'what could go wrong', 'best case / worst case', 'risk analysis', 'contingency planning', 'strategic options', 'fork-in-the-road decision', 'stress-test an idea', and 'think through consequences' are all listed as activation triggers. This over-broad keyword baiting inflates the perceived scope of the skill and increases the likelihood of unwanted or unintended activation across a wide range of user queries.
File: SKILL.md
Remediation: Narrow the activation description to the core use case (structured what-if scenario analysis). Remove redundant and overly broad trigger phrases. A concise, accurate description reduces unintended activation and improves trust.



🟡 MEDIUM LLM_UNAUTHORIZED_TOOL_USE — Allowed-Tools Declaration Does Not Cover Actual Package Capabilities

The manifest declares allowed-tools as 'Read Write', implying the skill only reads and writes files. However, the package contains 5 Python scripts (per the file inventory) that the static analyzer flagged for network calls and environment variable access. Network operations and environment variable access are not covered by the declared 'Read Write' tool set. This constitutes a tool restriction violation and potential tool poisoning — the skill misrepresents its actual capabilities in the manifest.
File: SKILL.md
Remediation: Either update the allowed-tools declaration to accurately reflect all capabilities used (including network/Bash if applicable), or remove the Python scripts performing undeclared operations. The manifest must accurately represent the skill's actual behavior.



🔵 LOW LLM_DATA_EXFILTRATION — Unverified External URLs Referenced in Instructions

The SKILL.md references two external DOI/URL links (zenodo.org) and two external websites (ahkstrategies.net, themindbook.app). While these appear to be informational references rather than active data sources, they represent external dependencies whose content could change. If the agent were instructed to fetch or follow these URLs, they could become vectors for indirect prompt injection or data exfiltration. The static pre-scan also flagged cross-file environment variable exfiltration chains, which could not be confirmed from the provided script content but warrants attention.
File: SKILL.md
Remediation: Ensure the agent does not fetch or execute content from these URLs. If the skill is part of a larger package with Python scripts (as suggested by the static scan showing 5 Python files), those scripts should be reviewed for network calls to these or other external domains.



zarr-python — 🟠 HIGH



🟠 HIGH LLM_DATA_EXFILTRATION — Environment Variable Exfiltration Chain Detected Across Script Files

Static analysis flagged BEHAVIOR_ENV_VAR_EXFILTRATION and BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION, indicating that environment variable access is combined with network calls across multiple files in this skill package. Although the referenced Python files (zarr.py, s3fs.py, gcsfs.py, dask.py, xarray.py, h5py.py) were not found during analysis, the static analyzer detected a cross-file exfiltration chain spanning 2 files. This pattern — reading environment variables (which may contain API keys, AWS credentials, tokens, etc.) and then making network calls — is a classic data exfiltration pattern. The skill's cloud storage integration (S3, GCS) provides plausible cover for such network activity.
Remediation: Audit all Python script files in the skill package for environment variable reads (os.environ, os.getenv) combined with outbound network calls. Verify that any network destinations are legitimate cloud storage endpoints (AWS S3, GCS) and not attacker-controlled servers. Ensure no credentials or environment data are sent to unexpected third-party URLs. Pin all dependencies to known-good versions and verify package integrity.



🟡 MEDIUM LLM_SKILL_DISCOVERY_ABUSE — Potential Brand Impersonation of Official Zarr Library

The skill is named 'zarr-python' and closely mimics the official Zarr Python library documentation, including identical API examples, official documentation links, and the official GitHub repository URL. However, the skill author is listed as 'K-Dense Inc.' rather than the official zarr-developers organization. This combination — using the official library name, documentation style, and links while being published by an unaffiliated third party — is a pattern consistent with brand impersonation or capability inflation to gain user trust.
Remediation: Verify the provenance of this skill package. The official zarr library is maintained by zarr-developers, not K-Dense Inc. Users should obtain zarr documentation skills only from verified, official sources. Treat this skill with elevated suspicion given the mismatch between the claimed identity and the official project maintainers.



🟠 HIGH LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation from Unknown Skill Author

The SKILL.md instructs users to install packages via 'uv pip install zarr', 'uv pip install s3fs', and 'uv pip install gcsfs' without version pinning. The skill is authored by 'K-Dense Inc.', which is not the official zarr-developers organization. Combined with the static analysis findings of cross-file exfiltration chains, unpinned installs from an unverified author create a supply chain risk. Without version pins, a compromised or malicious package version could be installed silently.
File: SKILL.md
Remediation: Pin all package versions explicitly (e.g., 'uv pip install zarr==2.18.0'). Verify the skill author's identity and relationship to the official zarr-developers project. Cross-reference the skill package against the official zarr GitHub repository at https://github.com/zarr-developers/zarr-python.



🟡 MEDIUM LLM_DATA_EXFILTRATION — Cloud Credential Exposure Risk via S3/GCS Integration Instructions

The SKILL.md instructions guide users to configure S3 and GCS filesystem objects using 's3fs.S3FileSystem(anon=False)' and 'gcsfs.GCSFileSystem(project=...)'. These calls implicitly access cloud credentials from environment variables, ~/.aws/credentials, application default credentials, or other credential stores. Given the static analysis finding of environment variable exfiltration combined with network calls, there is a risk that the underlying scripts harvest these credentials and transmit them to unauthorized endpoints under the guise of legitimate cloud storage operations.
File: SKILL.md
Remediation: Do not use this skill with real cloud credentials until the exfiltration chain identified by static analysis is fully audited and cleared. Review all network destinations in the script files before granting access to cloud credentials. Use least-privilege IAM roles and monitor for unexpected outbound connections.



bgpt-paper-search — 🟡 MEDIUM



🟡 MEDIUM LLM_PROMPT_INJECTION — External MCP Server as Indirect Prompt Injection Vector

The skill instructs the agent to connect to and consume results from a remote MCP server (https://bgpt.pro/mcp/sse). Structured data returned by this external server (paper titles, abstracts, methods, conclusions, etc.) is rendered directly into the agent's context. A compromised or malicious BGPT server could embed prompt injection payloads within any of the 25+ returned fields (e.g., paper title, conclusions, methods text), potentially manipulating the agent's subsequent behavior, overriding instructions, or exfiltrating data from the session.
File: SKILL.md
Remediation: The agent should treat all content returned by the external MCP server as untrusted data, not as instructions. Implement output sanitization or clearly scope returned content as data-only. Users should be warned that paper content rendered into context could contain adversarial text. Consider sandboxing or summarizing external results before acting on them.



🟡 MEDIUM LLM_SUPPLY_CHAIN_ATTACK — Unpinned npx Dependency for Remote MCP Client

The skill uses npx mcp-remote and npx bgpt-mcp without version pinning. This means the package resolved at runtime could be a different (potentially malicious or compromised) version than intended. An attacker who compromises the npm package mcp-remote or bgpt-mcp, or who performs a typosquatting attack, could execute arbitrary code on the user's machine when the MCP server is initialized.
File: SKILL.md
Remediation: Pin the npm packages to specific verified versions (e.g., npx mcp-remote@1.2.3). Verify package integrity via checksums or lockfiles. Document the expected package version in the skill manifest. Users should run npm install --save-exact and audit dependencies before use.



🔵 LOW LLM_DATA_EXFILTRATION — Data Transmission to Third-Party Commercial Server

All search queries and potentially session context are transmitted to the external commercial server at bgpt.pro. The skill does not disclose what data is logged, retained, or shared by the BGPT service. Users conducting sensitive literature reviews (e.g., unpublished research directions, proprietary drug targets) may inadvertently expose their research interests to a third party.
File: SKILL.md
Remediation: Add a clear disclosure in the skill description that all queries are sent to bgpt.pro and subject to their privacy policy. Link to the BGPT privacy policy. Users with sensitive research topics should review the terms of service before use.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Capability Claims in Description

The skill description claims to return '25+ fields per paper' and positions itself as suitable for 'systematic or scoping literature reviews', 'meta-analyses', and 'clinical guidelines'. These are high-stakes use cases. The actual quality, completeness, and accuracy of the BGPT database are not independently verifiable from the skill package itself, and the description may inflate perceived reliability, potentially causing the agent to over-rely on this source for critical evidence synthesis tasks.
File: SKILL.md
Remediation: Add a disclaimer noting that BGPT is a third-party commercial service and results should be independently verified. Clarify the scope and coverage of the database. Avoid positioning the tool as authoritative for clinical or regulatory decision-making without independent validation.



cobrapy — 🟡 MEDIUM



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — No version pinning or dependency provenance in skill documentation

The skill documentation and workflows reference external packages (cobra, pandas, matplotlib, seaborn, numpy) without specifying version constraints. The referenced files matplotlib.py and cobra.py are not found in the package, which could indicate shadowing attempts or missing files. If the skill installs dependencies at runtime without pinned versions, it is susceptible to supply chain attacks via dependency confusion or typosquatting.
Remediation: Add a requirements.txt or equivalent with pinned versions (e.g., cobra==0.26.3, pandas==2.1.0). Document the expected package provenance. Investigate why matplotlib.py and cobra.py are referenced but not found - ensure no local module shadowing of standard library or third-party packages is occurring.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools and compatibility metadata

The SKILL.md manifest does not specify 'allowed-tools' or 'compatibility' fields. While these are optional per the agent skills spec, their absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) this skill may invoke. Given the skill executes complex Python workflows including file I/O and multiprocessing, documenting these constraints would improve transparency.
File: SKILL.md
Remediation: Add 'allowed-tools' and 'compatibility' fields to the YAML frontmatter to clearly document which agent capabilities this skill requires and in which environments it is supported.



🟡 MEDIUM LLM_DATA_EXFILTRATION — Static analyzer flagged environment variable access combined with network calls

The pre-scan static analysis flagged BEHAVIOR_ENV_VAR_EXFILTRATION and BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN across 2 files in the skill package. While the reviewed referenced files (references/workflows.md and references/api_quick_reference.md) contain only legitimate COBRApy scientific workflow code with no visible credential harvesting or exfiltration patterns, the static analyzer detected environment variable access paired with network calls in files not surfaced for review. The 32-file package (22 markdown, 10 Python) contains unrevealed Python scripts that may contain these patterns.
File: references/api_quick_reference.md
Remediation: Audit all 10 Python files in the package for environment variable access (os.environ, os.getenv) combined with outbound network calls (requests, urllib, socket, etc.). Remove any code that reads credentials or environment variables and transmits them externally. Ensure all network calls are limited to legitimate COBRApy solver/model operations only.



database-lookup — 🟡 MEDIUM



🟡 MEDIUM LLM_SKILL_DISCOVERY_ABUSE — Excessive Capability Inflation and Over-Broad Activation Triggers

The skill description is extremely broad, claiming to cover 78 databases across virtually every scientific, medical, financial, and regulatory domain. The description includes an extensive list of trigger phrases designed to maximize activation across nearly any data-related query. Phrases like 'Also trigger when the user mentions any database by name' and the exhaustive list of domains (cancer genomics, somatic mutations, nucleotide sequences, ENA accessions, INSDC data, virtual screening, compound purchasability, etc.) represent keyword baiting and capability inflation designed to ensure this skill is invoked for almost any technical query. This over-broad activation pattern could cause the skill to intercept queries intended for other, more specialized tools.
File: SKILL.md
Remediation: Narrow the description and trigger conditions to the specific databases and use cases the skill is designed for. Avoid exhaustive keyword lists that cause the skill to activate for nearly any technical query. Use precise, scoped descriptions rather than catch-all activation triggers.



🔵 LOW LLM_DATA_EXFILTRATION — API Key Loading from Environment Variables and .env Files

The skill instructs the agent to read API keys from environment variables and .env files in the current working directory. While this is a common pattern, the skill explicitly instructs the agent to read potentially sensitive credentials (API keys for 17+ services including financial APIs like Alpha Vantage, FRED, BEA, and government data APIs) from the environment. The static analyzer flagged 'BEHAVIOR_ENV_VAR_EXFILTRATION' and 'BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION', indicating environment variable access combined with network calls. The skill makes outbound network calls to external APIs while also reading environment variables, creating a potential data flow where environment variables beyond just API keys could be inadvertently exposed or logged in API call parameters.
File: SKILL.md
Remediation: Limit environment variable access strictly to the documented API key variables. Avoid reading the entire environment or .env file contents. Validate that only expected key names are accessed. Consider documenting which specific variables are read to allow users to audit access.



🔵 LOW LLM_DATA_EXFILTRATION — Missing License and Compatibility Metadata

The skill does not specify a license or compatibility field in its YAML manifest. The skill-author is listed as 'K-Dense Inc.' but no license is provided. For a skill that accesses 78 external APIs, makes network calls, reads environment variables, and executes shell commands, the absence of license information prevents users from understanding the terms under which the skill operates. This is a transparency concern rather than a direct security threat.
File: SKILL.md
Remediation: Add license and compatibility fields to the YAML manifest. Specify which platforms the skill has been tested on and under what license terms it is distributed.



🔵 LOW LLM_UNAUTHORIZED_TOOL_USE — Unrestricted Tool Usage Without allowed-tools Declaration

The skill does not declare an allowed-tools field in its YAML manifest, yet the instructions direct the agent to use Bash (for curl commands, environment variable access via 'echo $VAR'), Python (implied by platform references), file reading (for .env files and reference files), and network fetch tools. The absence of allowed-tools means there are no declared restrictions on what tools the agent can use when executing this skill. While missing allowed-tools is informational per the spec, the combination of unrestricted tool access with instructions to execute shell commands (curl), read files (.env, references/), and make network calls represents a broad attack surface.
File: SKILL.md
Remediation: Add an explicit allowed-tools declaration to the YAML manifest listing only the tools required (e.g., Bash, WebFetch). This provides transparency to users about what capabilities the skill requires and enables enforcement of tool restrictions.



datamol — 🟡 MEDIUM



🟡 MEDIUM LLM_DATA_EXFILTRATION — Unvalidated Remote File Access Patterns

The skill's instructions explicitly demonstrate and encourage reading files from arbitrary remote URLs and cloud storage paths provided by users, including HTTP/HTTPS URLs and S3/GCS paths. The code examples show reading CSV and SDF files directly from 'https://example.com/data.csv' and 's3://bucket/compounds.sdf' without any validation or sanitization of the URL. A malicious user could supply a crafted URL pointing to attacker-controlled infrastructure, potentially enabling SSRF (Server-Side Request Forgery) or data exfiltration via the response.
File: SKILL.md
Remediation: Add input validation for user-supplied file paths. Restrict allowed URL schemes and domains, or require explicit user confirmation before accessing remote URLs. Document that remote file access should only be used with trusted sources.



🟡 MEDIUM LLM_PROMPT_INJECTION — Indirect Prompt Injection via External Molecular Data Files

The skill instructs the agent to read molecular data files from user-specified paths (SDF, CSV, SMILES, Excel) and process their contents. If a malicious actor crafts a molecular data file (e.g., SDF with embedded text fields, CSV with specially crafted SMILES column headers or metadata) containing prompt injection payloads in molecule names, properties, or metadata fields, the agent may process and act on those embedded instructions when displaying or summarizing the data. SDF files in particular support arbitrary text property fields that could contain instruction overrides.
File: SKILL.md
Remediation: Treat all data read from external files as untrusted. When displaying molecule metadata or property fields to the user, sanitize or clearly delimit the content to prevent it from being interpreted as agent instructions. Avoid passing raw file content directly into agent context without sanitization.



🔵 LOW LLM_DATA_EXFILTRATION — Multiple Referenced Files Not Found

The skill references numerous files in its instructions that do not exist in the package: assets/io_module.md, assets/descriptors_viz.md, rdkit.py, assets/core_api.md, assets/conformers_module.md, assets/fragments_scaffolds.md, datamol.py, assets/reactions_data.md, sklearn.py, scipy.py, templates/descriptors_viz.md, templates/core_api.md, templates/reactions_data.md, templates/conformers_module.md, templates/fragments_scaffolds.md, templates/io_module.md, and '=[O:2]'. Missing files could indicate an incomplete package or that the skill may attempt to fetch these from external sources at runtime.
File: SKILL.md
Remediation: Ensure all referenced files are bundled with the skill package. Remove references to non-existent files or document that they are optional. Investigate the anomalous '=[O:2]' reference which appears to be a SMARTS fragment accidentally parsed as a file path.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Metadata

The skill does not specify the 'allowed-tools' field in its YAML manifest. While this field is optional per the agent skills spec, its absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) can be invoked. Given the skill's broad scope (file I/O, network access, parallel processing), documenting allowed tools would improve transparency.
File: SKILL.md
Remediation: Add an 'allowed-tools' field to the YAML frontmatter listing the tools the skill requires, e.g., allowed-tools: [Python, Bash, Read, Write].



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing Compatibility Metadata

The skill does not specify the 'compatibility' field in its YAML manifest. The skill references cloud storage (S3, GCS, HTTP), parallel processing, and various file formats, but does not declare environment compatibility requirements. This could lead to unexpected behavior in restricted environments.
File: SKILL.md
Remediation: Add a 'compatibility' field to the YAML frontmatter describing supported environments and any prerequisites (e.g., fsspec, s3fs, gcsfs libraries).



depmap — 🟡 MEDIUM



🟡 MEDIUM LLM_DATA_EXFILTRATION — Potential Environment Variable Access Combined with Network Calls (Static Analyzer Finding)

The static pre-scan flagged 'BEHAVIOR_ENV_VAR_EXFILTRATION' and 'BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN' across 2 files in the package. While the provided SKILL.md instructions and code snippets do not explicitly show environment variable harvesting, the static analyzer detected a cross-file pattern combining environment variable access with network calls. This pattern is consistent with credential or token exfiltration. The full script files were not provided for review, but this finding warrants attention given the skill makes outbound HTTP requests.
File: SKILL.md
Remediation: Audit all Python script files in the package (10 Python files detected) for environment variable access (os.environ, os.getenv) combined with outbound network calls. Ensure no credentials, tokens, or sensitive environment variables are transmitted to external servers. Restrict network calls to known DepMap/Figshare endpoints only.



🔵 LOW LLM_PROMPT_INJECTION — Referenced File 'scipy.py' Not Found in Package

The SKILL.md references a file named 'scipy.py' which is not present in the skill package. This could indicate a missing dependency, a typo (likely referring to the scipy library rather than a local file), or a placeholder that could be substituted with a malicious file. If an attacker were able to place a file named 'scipy.py' in the working directory, it could shadow the legitimate scipy library and execute arbitrary code when imported.
File: SKILL.md
Remediation: Remove the reference to 'scipy.py' as a file if it is intended to refer to the scipy Python library. Ensure all local file references are clearly distinguished from library imports. Verify the package is complete and no files are missing.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Manifest Field

The SKILL.md manifest does not specify the 'allowed-tools' field. While this field is optional per the agent skills spec, its absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) this skill may invoke. Given that the skill makes network requests and downloads large data files, declaring allowed tools would improve transparency and reduce the attack surface.
File: SKILL.md
Remediation: Add an explicit 'allowed-tools' field to the YAML frontmatter, e.g., 'allowed-tools: [Python, Bash]', to document and restrict the tools this skill is permitted to use.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned External Data Downloads from DepMap/Figshare

The skill instructs downloading large CSV data files from external URLs (depmap.org and figshare.com) without any integrity verification (e.g., checksums, hash validation). The Figshare URL in the code is a placeholder ('...'), and the actual download URLs are not pinned to specific verified file hashes. A compromised or substituted file at these URLs could introduce malicious data into the analysis pipeline.
File: SKILL.md
Remediation: Pin download URLs to specific versioned file identifiers and validate downloaded files against known checksums (SHA256) before use. Avoid placeholder URLs in production code.



dnanexus-integration — 🟡 MEDIUM



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Declaration

The skill manifest does not specify the 'allowed-tools' field. While this is optional per the agent skills spec, the skill instructs the agent to execute bash commands (dx login, dx build, dx run, dx watch, dx terminate) and Python code (dxpy SDK calls). Without an explicit allowed-tools declaration, the agent's tool usage boundaries are undefined, potentially allowing broader tool access than intended for a genomics integration skill.
File: SKILL.md
Remediation: Add 'allowed-tools: [Bash, Python]' to the SKILL.md YAML frontmatter to explicitly declare the tools this skill requires, enabling proper access control enforcement.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Missing License and Unpinned Package Installation

The skill manifest lists license as 'Unknown', which reduces provenance transparency. Additionally, the SKILL.md instructions recommend installing dxpy with 'uv pip install dxpy' without a version pin, and the references/configuration.md shows patterns of installing Python packages without pinned versions (e.g., 'pip install numpy==1.24.0' is shown as an example but the primary install command is unpinned). Unpinned dependencies are susceptible to supply chain attacks where a malicious version of a package could be installed.
File: SKILL.md
Remediation: Pin the dxpy version explicitly (e.g., 'uv pip install dxpy==0.375.0'). Add a valid license to the SKILL.md manifest. Document the skill author and version provenance clearly.



🟡 MEDIUM LLM_DATA_EXFILTRATION — Environment Variable Access with Network Calls Detected

The static pre-scan flagged BEHAVIOR_ENV_VAR_EXFILTRATION and BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION patterns across multiple files in the skill package. The references/python-sdk.md documents use of environment variables (e.g., DX_SECURITY_CONTEXT, DX_ASSET_BWA) and network API calls. While the visible reference files appear to show legitimate DNAnexus SDK usage, the static analyzer detected a cross-file exfiltration chain across 2 files that were not provided for review (likely among the 'not found' referenced files or unreferenced scripts). The combination of environment variable harvesting and network calls is a classic data exfiltration pattern. The skill has 32 total files (22 markdown, 10 Python) but only a subset were provided for review, meaning the flagged Python scripts could not be fully audited.
File: references/python-sdk.md
Remediation: Provide all 10 Python script files for full review. Audit any scripts that read environment variables (especially DX_SECURITY_CONTEXT, API tokens, AWS credentials) and make network calls. Ensure no script reads env vars and posts them to external endpoints. Verify the cross-file exfiltration chain identified by the static analyzer does not involve credential harvesting.



exploratory-data-analysis — 🟡 MEDIUM



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Capability Claims in Skill Description

The skill description claims support for '200+ file formats' across six major scientific domains. While the reference files do cover many formats, the breadth of the claim ('200+ file formats') combined with the instruction 'This skill should be used when analyzing any scientific data file' could lead to over-activation of the skill for files it cannot actually handle, potentially causing errors or misleading analysis. The description is somewhat inflated relative to actual automated analysis capabilities (the script only handles a subset of formats with actual data parsing).
File: SKILL.md
Remediation: Clarify in the description which formats have automated analysis support vs. reference-only documentation. Avoid 'any scientific data file' language that over-promises capability.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Third-Party Library Dependencies

The skill references and uses numerous third-party Python libraries without version pinning (biopython, rdkit, mdanalysis, pymzml, pyteomics, tifffile, nd2reader, h5py, etc.). The troubleshooting section suggests installing these with 'uv pip install biopython' without version constraints. Unpinned dependencies are vulnerable to supply chain attacks where a malicious version of a package could be installed.
File: SKILL.md
Remediation: Provide a requirements.txt or pyproject.toml with pinned versions for all dependencies. At minimum, specify minimum version constraints. Consider using a lock file for reproducible installations.



🔵 LOW LLM_DATA_EXFILTRATION — Pickle File Deserialization Warning in Reference Documentation

The reference files (chemistry_molecular_formats.md, proteomics_metabolomics_formats.md) document .pkl/.pickle files and suggest using Python's pickle module to deserialize them as part of EDA analysis. The skill instructions could lead the agent to deserialize arbitrary pickle files provided by users, which is a known arbitrary code execution vector. The skill does not include any warning about the security risks of deserializing untrusted pickle files.
File: references/chemistry_molecular_formats.md
Remediation: Add explicit security warnings in the reference documentation and skill instructions that pickle files from untrusted sources should never be deserialized, as they can execute arbitrary code. Recommend using safer alternatives (e.g., JSON, HDF5, Parquet) or at minimum verifying file provenance before deserialization.



🟡 MEDIUM LLM_PROMPT_INJECTION — Indirect Prompt Injection via Reference File Content Loaded into Context

The skill instructs the agent to read reference files (e.g., references/chemistry_molecular_formats.md, references/bioinformatics_genomics_formats.md) and load their content into the conversation context for analysis. The eda_analyzer.py script also reads these files and injects their raw content (raw_section) directly into the generated markdown report. If any of these reference files were modified by a malicious actor (e.g., supply chain compromise of the skill package), they could contain embedded prompt injection instructions that would be executed when the agent reads them. The generate_markdown_report function directly embeds raw_section content without sanitization.
File: scripts/eda_analyzer.py
Remediation: While the reference files in this package appear benign, the pattern of loading raw file content into agent context is a risk. Validate reference file content before embedding it in reports. Consider using structured parsing rather than raw section injection. If reference files could be user-modified, treat them as untrusted input.



🔵 LOW LLM_COMMAND_INJECTION — Python eval/exec Usage Flagged by Static Analyzer

The static pre-scan flagged a Python code block using eval/exec. Reviewing the script, the eda_analyzer.py does not directly use eval() or exec() in its main code paths. However, the use of re.search with user-controlled file extension strings in load_reference_info() and detect_file_type() could theoretically be abused if the extension map or regex patterns were manipulated. The static flag may refer to code examples in the markdown reference files. No direct eval/exec was found in the primary script.
File: scripts/eda_analyzer.py
Remediation: Sanitize the 'extension' variable before using it in regex patterns to prevent ReDoS or regex injection. Use re.escape() on the extension: pattern = rf'### .{re.escape(extension)}[^#]*?(?=###|\Z)'



histolab — 🟡 MEDIUM



🔵 LOW LLM_DATA_EXFILTRATION — Missing Referenced Files May Lead to Untrusted Content Loading

Several referenced files listed in the skill package are not found (e.g., PIL.py, histolab.py, matplotlib.py, and multiple template/asset files). The presence of filenames like PIL.py, matplotlib.py, and histolab.py in the referenced files list is suspicious — these names shadow well-known Python standard library packages. If these files were present, they could shadow legitimate imports and execute malicious code when the agent attempts to use them. Their absence is noted but the naming pattern warrants attention.
File: SKILL.md
Remediation: Remove references to files that do not exist in the skill package. Avoid naming local files with the same names as popular Python packages (PIL.py, matplotlib.py, histolab.py) as this creates import shadowing risks. Audit all referenced files to ensure they exist and contain only expected content.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Manifest Field

The SKILL.md manifest does not specify the allowed-tools field. While this is optional per the agent skills specification, the skill instructs the agent to execute Python code, run bash commands (uv pip install), read and write files (tile extraction, thumbnail saving, CSV reports), and perform filesystem traversal. Without declaring allowed tools, there is no explicit boundary on what agent capabilities this skill may invoke.
File: SKILL.md
Remediation: Add an explicit allowed-tools field to the YAML frontmatter listing the tools this skill requires (e.g., [Python, Bash, Read, Write]). This improves transparency and allows the agent runtime to enforce capability boundaries.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation via uv pip install

The skill instructs installation of the histolab package without a pinned version number. Unpinned package installations are vulnerable to supply chain attacks where a malicious version could be published to PyPI and automatically installed. The instruction uv pip install histolab will always fetch the latest version, which could include compromised code if the package is ever hijacked or a malicious update is published.
File: SKILL.md
Remediation: Pin the package to a specific known-good version, e.g., uv pip install histolab==0.5.1. Additionally, consider specifying a hash verification or using a lockfile to ensure reproducible and secure installations.



🟡 MEDIUM LLM_COMMAND_INJECTION — Use of eval/exec in Python Code Blocks

Static analysis flagged two instances of eval/exec usage within Python code blocks in the skill's markdown files. While reviewing the content, the references/filters_preprocessing.md file contains a Lambda filter pattern that could be used to execute arbitrary code via lambda functions passed to filter pipelines. The Lambda filter class accepts arbitrary callable expressions, which if constructed from user-supplied input could lead to code injection. The pattern Lambda(lambda img: ...) is used throughout the preprocessing documentation and could be misused if user-controlled strings are passed to eval/exec to construct these lambdas dynamically.
File: references/filters_preprocessing.md
Remediation: Ensure that Lambda filter arguments are never constructed from user-supplied input. If the skill instructs the agent to dynamically build filter pipelines from user input, add explicit validation and avoid using eval/exec to construct callable objects. Document that Lambda filters must only use hardcoded or pre-validated expressions.



imaging-data-commons — 🟡 MEDIUM



🟡 MEDIUM LLM_COMMAND_INJECTION — Dynamic subprocess execution for package upgrade

The SKILL.md instructs the agent to run subprocess.run() to execute pip upgrade commands dynamically based on a version comparison. While the command itself is hardcoded (not user-controlled), this pattern of having the agent execute subprocess commands to modify the Python environment is a risky pattern. If the version string or package name were ever influenced by external data (e.g., from a malicious index table result), it could lead to command injection. The --break-system-packages flag is also notable as it bypasses system package protections.
File: SKILL.md
Remediation: Avoid having the agent automatically execute subprocess commands to modify the Python environment. Instead, instruct the user to manually run the upgrade command. If automated upgrade is necessary, validate all inputs strictly and avoid --break-system-packages flag.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Broad Capability Claims in Description

The skill description claims broad capabilities including 'Query and download public cancer imaging data' and lists multiple access methods, tools, and integrations. While the description is generally accurate and the skill is legitimate, the extensive keyword coverage (CT, MR, PET, radiology, pathology, AI training, research, BigQuery, DICOMweb, S3, GCS) could cause the skill to be activated for a very wide range of queries. This is a minor concern given the legitimate nature of the skill.
File: SKILL.md
Remediation: This is a low-severity informational finding. The description is accurate and the skill is legitimate. No immediate action required, but consider whether the scope could be narrowed if the skill is being over-triggered.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation via pip upgrade

The SKILL.md instructions explicitly recommend and demonstrate using 'pip install --upgrade idc-index' without pinning to a specific version hash or using a lockfile. While a specific version (0.11.14) is mentioned in the version check code, the upgrade command itself is unpinned and will always fetch the latest version. This creates a supply chain risk where a compromised or malicious future release of idc-index could be automatically installed. The skill also suggests installing optional packages (pandas, numpy, pydicom, SimpleITK) without any version pinning at all.
File: SKILL.md
Remediation: Pin package installations to specific verified versions with hashes where possible. Use 'pip install idc-index==0.11.14' rather than '--upgrade'. For optional packages, specify version constraints. Consider using a requirements.txt with hash verification.



🟡 MEDIUM MDBLOCK_PYTHON_SUBPROCESS — Python code block executes shell commands

Code block in SKILL.md at line 21 contains potentially dangerous Python code.
File: SKILL.md:21
Remediation: Review the code block for security implications.



🔵 LOW LLM_PROMPT_INJECTION — Indirect Prompt Injection Risk via External SQL Query Results

The skill instructs the agent to execute SQL queries against IDC index data and use the results directly in subsequent operations (e.g., downloading files, generating viewer URLs). While IDC is a reputable NCI data source, the pattern of trusting and acting on data returned from external queries without validation creates a theoretical indirect prompt injection surface. Maliciously crafted metadata values (e.g., in SeriesDescription, collection_id, or other string fields) could potentially influence agent behavior if those values are interpolated into subsequent instructions or displayed without sanitization. The use_cases.md also shows direct string interpolation of query results into SQL queries (f-string with mfr and model variables).
File: references/use_cases.md:45
Remediation: Avoid direct string interpolation of database query results into subsequent SQL queries (use parameterized queries). Sanitize or validate metadata values before using them in downstream operations. The idc-index sql_query method should use parameterized queries rather than f-string interpolation.



labarchive-integration — 🟡 MEDIUM



🟡 MEDIUM LLM_SUPPLY_CHAIN_ATTACK — Unpinned External Dependency Installed via Git Clone

The SKILL.md instructs users to install the labarchives-py package directly from a GitHub repository without any version pinning, commit hash, or integrity verification. This creates a supply chain risk: if the repository at https://github.com/mcmero/labarchives-py is compromised or updated with malicious code, all users of this skill would be affected. The same unverified GitHub install URL is also referenced in error messages within the Python scripts.
File: SKILL.md
Remediation: Pin the dependency to a specific commit hash or tag (e.g., pip install git+https://github.com/mcmero/labarchives-py@<commit-hash>). Alternatively, publish the package to PyPI with a pinned version and verify checksums. Document the expected package hash for integrity verification.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Missing License and Compatibility Metadata

The skill manifest does not specify a license or compatibility field. While allowed-tools being absent is acceptable per the spec, the missing license information means users cannot assess the legal terms under which this skill and its bundled scripts can be used, modified, or distributed. The skill author is listed as 'K-Dense Inc.' but no license is declared.
File: SKILL.md
Remediation: Add a license field to the YAML frontmatter (e.g., license: MIT) and a compatibility field indicating supported environments. This improves transparency and helps users understand usage rights.



🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

Code block in references/api_reference.md at line 217 contains potentially dangerous Python code.
File: references/api_reference.md:217
Remediation: Review the code block for security implications.



🔵 LOW LLM_DATA_EXFILTRATION — SSL Verification Disable Guidance in Authentication Reference

The references/authentication_guide.md includes example code that disables SSL certificate verification (verify=False) for handling self-signed certificates. While labeled as 'not recommended for production,' providing this code snippet normalizes insecure practices and could lead users to disable SSL verification in production environments, exposing credentials to man-in-the-middle attacks.
File: references/authentication_guide.md
Remediation: Remove the verify=False example entirely or replace it with proper guidance on installing custom CA certificates (verify='/path/to/ca-bundle.crt'). Add a prominent warning that disabling SSL verification in production exposes credentials to interception.



🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

Code block in references/integrations.md at line 93 contains potentially dangerous Python code.
File: references/integrations.md:93
Remediation: Review the code block for security implications.



🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

Code block in references/integrations.md at line 309 contains potentially dangerous Python code.
File: references/integrations.md:309
Remediation: Review the code block for security implications.



🟡 MEDIUM LLM_DATA_EXFILTRATION — API Credentials Transmitted in HTTP POST Body (Plaintext)

In entry_operations.py, the upload_attachment function includes access_key_id and access_password directly in the HTTP POST form data body when uploading attachments. While HTTPS is used, embedding credentials in request bodies (rather than using proper Authorization headers or signed requests) increases the risk of credential exposure in server logs, proxy logs, and debugging output. The credentials are read from the config file and passed as plaintext form fields.
File: scripts/entry_operations.py
Remediation: Use Authorization headers or HMAC-signed request parameters instead of embedding credentials in POST body form data. If the LabArchives API requires credentials in the body, ensure all intermediary proxies and logging systems are configured to redact sensitive fields.



🔵 LOW LLM_DATA_EXFILTRATION — Credentials Stored in Plaintext YAML Config File

The setup_config.py script creates a config.yaml file containing plaintext API credentials including access_key_id, access_password, user_email, and user_external_password. While the script sets file permissions to 0o600 (user read/write only), storing credentials in a plaintext YAML file on disk is a security risk if the filesystem is compromised, the file is accidentally committed to version control, or the system is shared. The authentication guide does mention environment variables as an alternative but the default workflow uses the config file.
File: scripts/setup_config.py
Remediation: Prefer environment variables or OS-level secret stores (e.g., macOS Keychain, Linux Secret Service, AWS Secrets Manager) over plaintext config files. Add config.yaml to .gitignore by default during setup. Consider encrypting the config file at rest using tools like ansible-vault or sops.



lamindb — 🟡 MEDIUM



🔵 LOW LLM_DATA_EXFILTRATION — Missing allowed-tools Declaration

The skill does not declare an allowed-tools field in the YAML manifest. While this is optional per the spec, the skill's reference documentation includes code examples that perform network calls (REST API integration, cloud storage access), file system operations, and database connections. Without an allowed-tools declaration, there is no manifest-level constraint on what tools the agent may use when following these instructions.
File: SKILL.md
Remediation: Add an explicit allowed-tools declaration to the YAML manifest to constrain agent tool usage to only what is necessary for LaminDB operations (e.g., Read, Write, Python, Bash).



🔵 LOW LLM_PROMPT_INJECTION — Multiple Referenced Files Not Found in Skill Package

The skill references numerous files that are not present in the package (assets/, templates/ directories, and several .py files like bionty.py, wandb.py, lamindb.py, joblib.py, anndata.py). When the agent attempts to read these missing files, it may fall back to external sources or hallucinate content. The missing .py files are particularly notable as they share names with real Python packages, which could cause confusion about whether they are local skill files or external library imports.
File: SKILL.md
Remediation: Ensure all referenced files are included in the skill package. Remove references to files that do not exist. Rename any local .py files to avoid naming conflicts with well-known Python packages (bionty, wandb, lamindb, joblib, anndata).



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Skill Description Inflating Activation Scope

The skill description is extremely broad, claiming to cover data management, annotation, ontologies, schema validation, integrations with multiple workflow managers and MLOps platforms, and deployment strategies. While this may reflect the actual scope of LaminDB, the description could cause the skill to be activated for a very wide range of queries, potentially displacing more specific skills. The description uses many trigger keywords that could inflate activation frequency.
File: SKILL.md
Remediation: Consider narrowing the description to the core use case (LaminDB-specific operations) and avoid listing every possible sub-capability as activation triggers. This reduces unintended skill activation.



🟡 MEDIUM LLM_PROMPT_INJECTION — External REST API and Database Integration Instructions May Enable Indirect Prompt Injection

The integrations reference file includes instructions for fetching data from arbitrary external REST APIs and external databases, then saving the results as LaminDB artifacts. The code examples use user-supplied or dynamically constructed URLs and SQL queries without input validation. If an attacker controls the external API response or database content, they could embed malicious instructions that the agent processes as trusted content when loading and analyzing the fetched data.
File: references/integrations.md
Remediation: Add explicit warnings that data fetched from external APIs and databases should be treated as untrusted. Recommend input validation and sanitization before processing external data. Avoid constructing SQL queries from user-supplied input without parameterization.



🔵 LOW LLM_DATA_EXFILTRATION — Credential Handling Examples Without Security Warnings

The setup-deployment reference file includes examples that set AWS and GCP credentials via environment variables and hardcode database connection strings with passwords in plaintext within command-line examples. While these are documentation examples rather than executable scripts, the agent may reproduce these patterns verbatim when assisting users, potentially encouraging insecure credential handling practices.
File: references/setup-deployment.md
Remediation: Add explicit security warnings in the documentation examples noting that credentials should never be hardcoded or stored in shell history. Reference the use of secrets managers (AWS Secrets Manager, GCP Secret Manager) or .env files with restricted permissions.



open-notebook — 🟡 MEDIUM



🔵 LOW LLM_DATA_EXFILTRATION — API Key Exposed in Example Code

The SKILL.md Quick Start section contains a Python code example that shows an API key being passed directly in the request body with a placeholder value 'sk-...'. While this is a placeholder and not a real key, it demonstrates a pattern that could encourage users to hardcode real API keys in scripts rather than using environment variables or secure credential management.
File: SKILL.md
Remediation: Update the example to show best practices for credential handling, such as reading the API key from an environment variable: api_key: os.getenv('OPENAI_API_KEY'). Add a note warning users never to hardcode real API keys in scripts.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools and compatibility Metadata

The SKILL.md manifest does not specify 'allowed-tools' or 'compatibility' fields. While these are optional per the spec, their absence means the agent has no declared tool restrictions, potentially allowing broader tool usage than necessary for this skill's purpose (primarily making HTTP requests to a local API).
File: SKILL.md
Remediation: Consider adding 'allowed-tools: [Python, Bash]' and 'compatibility' fields to the YAML frontmatter to document the intended execution environment and restrict tool usage to what is actually needed.



🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

Code block in SKILL.md at line 61 contains potentially dangerous Python code.
File: SKILL.md:61
Remediation: Review the code block for security implications.



🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

Code block in SKILL.md at line 92 contains potentially dangerous Python code.
File: SKILL.md:92
Remediation: Review the code block for security implications.



🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

Code block in SKILL.md at line 105 contains potentially dangerous Python code.
File: SKILL.md:105
Remediation: Review the code block for security implications.



🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

Code block in SKILL.md at line 126 contains potentially dangerous Python code.
File: SKILL.md:126
Remediation: Review the code block for security implications.



🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

Code block in SKILL.md at line 139 contains potentially dangerous Python code.
File: SKILL.md:139
Remediation: Review the code block for security implications.



🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

Code block in SKILL.md at line 157 contains potentially dangerous Python code.
File: SKILL.md:157
Remediation: Review the code block for security implications.



🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

Code block in SKILL.md at line 174 contains potentially dangerous Python code.
File: SKILL.md:174
Remediation: Review the code block for security implications.



🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

Code block in SKILL.md at line 194 contains potentially dangerous Python code.
File: SKILL.md:194
Remediation: Review the code block for security implications.



🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

Code block in references/configuration.md at line 116 contains potentially dangerous Python code.
File: references/configuration.md:116
Remediation: Review the code block for security implications.



🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

Code block in references/examples.md at line 17 contains potentially dangerous Python code.
File: references/examples.md:17
Remediation: Review the code block for security implications.



🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

Code block in references/examples.md at line 98 contains potentially dangerous Python code.
File: references/examples.md:98
Remediation: Review the code block for security implications.



🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

Code block in references/examples.md at line 136 contains potentially dangerous Python code.
File: references/examples.md:136
Remediation: Review the code block for security implications.



🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

Code block in references/examples.md at line 182 contains potentially dangerous Python code.
File: references/examples.md:182
Remediation: Review the code block for security implications.



🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

Code block in references/examples.md at line 231 contains potentially dangerous Python code.
File: references/examples.md:231
Remediation: Review the code block for security implications.



🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

Code block in references/examples.md at line 277 contains potentially dangerous Python code.
File: references/examples.md:277
Remediation: Review the code block for security implications.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Dependency in Script Prerequisites

All example scripts specify 'pip install requests' in their docstring prerequisites without pinning a specific version. This could expose users to supply chain risks if the requests package is compromised or a breaking version is released.
File: scripts/chat_interaction.py:8
Remediation: Pin the dependency to a specific version (e.g., 'pip install requests==2.31.0') or provide a requirements.txt with pinned versions to ensure reproducible and secure installations.



parallel-web — 🟡 MEDIUM



🟡 MEDIUM LLM_PROMPT_INJECTION — Indirect Prompt Injection via Web Search Results Written to Sources Folder

The skill mandates that ALL web search and research results be saved to a 'sources/' folder, and explicitly instructs the agent to re-read these files later ('Context Window Recovery: If context is compacted mid-task, saved results can be re-read from sources/'). Web content retrieved from arbitrary URLs and search results could contain embedded prompt injection payloads. When the agent later reads these saved files back into context, malicious instructions embedded in web content could influence subsequent agent behavior. The instruction 'Before Making a New Query, Check Sources First' and 'ls sources/' further encourages the agent to process previously saved external content.
File: SKILL.md
Remediation: Add explicit warnings that saved web content should be treated as untrusted data when re-read. Implement content sanitization before saving web results. Instruct the agent to treat re-read source files as data, not instructions, and to never execute or follow instructions found within saved source files.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Activation Scope in Skill Description

The skill description and SKILL.md instructions explicitly claim this skill should be used for 'ALL web searches, research queries, and general information gathering.' The instruction body repeatedly emphasizes 'Use this skill for ALL of the following' and lists extremely broad categories. This over-broad capability claim could cause the agent to route nearly all queries through this skill, potentially inflating API usage and costs, and reducing the agent's ability to use more appropriate tools for specific tasks.
File: SKILL.md
Remediation: Narrow the activation scope to specific use cases rather than claiming universal applicability. Remove 'ALL' language and provide more precise trigger conditions.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Dependencies

The skill installs packages without version pins in the documented setup instructions. Both 'pip install openai' and 'pip install parallel-web' are unpinned, meaning any future version (including potentially compromised versions) could be installed. The 'parallel-web' package is from a third-party vendor (K-Dense Inc.) and its supply chain integrity cannot be verified from this skill alone.
File: SKILL.md
Remediation: Pin package versions explicitly (e.g., 'pip install openai==1.x.x parallel-web==x.x.x') and document the expected package hashes or use a requirements.txt with pinned versions and integrity checks.



🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/parallel-web/scripts/parallel_web.py
File: scientific-skills/parallel-web/scripts/parallel_web.py
Remediation: Remove environment variable collection unless explicitly required and documented



🔵 LOW LLM_DATA_EXFILTRATION — API Key Exposure via Environment Variable Logging

The script reads PARALLEL_API_KEY from the environment and passes it directly to external API clients. While using environment variables is standard practice, the error messages in _get_api_key() echo back instructions that could expose the key name in logs. More importantly, the key is passed to both the OpenAI-compatible client (api_key=_get_api_key()) and the parallel-web SDK client, meaning it flows to two different third-party libraries whose behavior cannot be fully audited from this skill package alone.
File: scripts/parallel_web.py:17
Remediation: This is standard practice but users should be aware the API key is transmitted to external servers (api.parallel.ai). Document this data flow explicitly. Consider adding a note that the key should have minimal required permissions.



pennylane — 🟡 MEDIUM



🔵 LOW LLM_DATA_EXFILTRATION — Unpinned Package Installations in Installation Instructions

The SKILL.md and references/getting_started.md instruct users to install PennyLane and its hardware plugins (pennylane-qiskit, amazon-braket-pennylane-plugin, pennylane-cirq, pennylane-rigetti, pennylane-ionq) without version pinning. This means any future compromised or malicious version of these packages could be installed, potentially leading to supply chain attacks or unexpected behavior changes.
File: SKILL.md
Remediation: Pin all package versions explicitly, e.g., 'uv pip install pennylane==0.38.0'. Maintain a requirements.txt or pyproject.toml with pinned versions and hash verification.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Manifest Field

The SKILL.md YAML frontmatter does not specify the 'allowed-tools' field. While this is optional per the agent skills specification, its absence means there are no declared restrictions on which agent tools this skill can use, potentially allowing broader tool access than necessary for a quantum computing documentation skill.
File: SKILL.md
Remediation: Add an explicit 'allowed-tools' field to the YAML frontmatter listing only the tools required for this skill's operation, following the principle of least privilege.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Third-Party Quantum Hardware Plugin Dependencies

Multiple hardware plugins are recommended for installation without version constraints. These plugins (pennylane-qiskit, amazon-braket-pennylane-plugin, pennylane-cirq, pennylane-rigetti, pennylane-ionq) are third-party packages that interface with external quantum hardware providers. Without version pinning, a compromised upstream package could introduce malicious code into the agent's execution environment.
File: SKILL.md
Remediation: Pin all plugin versions. Verify package integrity using checksums. Consider using a private package mirror or vendoring dependencies for production use.



🟡 MEDIUM LLM_DATA_EXFILTRATION — IBM Quantum API Token Hardcoding Pattern in Reference Documentation

The references/devices_backends.md file includes a code example that shows an IBM Quantum API token being passed as a string literal ('YOUR_API_TOKEN') directly in code. While this is a placeholder, the pattern encourages users to hardcode API tokens in their scripts, which could lead to credential exposure if scripts are shared or committed to version control. The static analyzer also flagged environment variable access with network calls, which is consistent with this pattern.
File: references/devices_backends.md
Remediation: Replace hardcoded token examples with environment variable patterns: ibmqx_token=os.environ.get('IBMQ_API_TOKEN'). Add explicit warnings in documentation against hardcoding credentials. Recommend using credential management tools or environment variables.



🟡 MEDIUM LLM_DATA_EXFILTRATION — IonQ API Key Hardcoding Pattern in Reference Documentation

The references/devices_backends.md file includes a code example showing an IonQ API key passed as a string literal ('your_api_key') directly in device initialization code. This pattern encourages credential hardcoding. Combined with the static analyzer finding of environment variable access with network calls, this represents a data exposure risk.
File: references/devices_backends.md
Remediation: Replace hardcoded API key examples with environment variable patterns: api_key=os.environ.get('IONQ_API_KEY'). Add explicit security warnings in documentation. Recommend using secrets management solutions.



perplexity-search — 🟡 MEDIUM



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Dependency Installation

The skill instructs users to install litellm and python-dotenv without version pins (e.g., 'uv pip install litellm'). Unpinned dependencies are vulnerable to supply chain attacks where a malicious version of a package could be published and automatically installed. LiteLLM is a large dependency with broad network access capabilities.
File: SKILL.md
Remediation: Pin dependencies to specific versions (e.g., 'uv pip install litellm==1.x.x'). Provide a requirements.txt or pyproject.toml with pinned versions and hash verification.



🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/perplexity-search/scripts/perplexity_search.py
File: scientific-skills/perplexity-search/scripts/perplexity_search.py
Remediation: Remove environment variable collection unless explicitly required and documented



🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/perplexity-search/scripts/setup_env.py
File: scientific-skills/perplexity-search/scripts/setup_env.py
Remediation: Remove environment variable collection unless explicitly required and documented



🔵 LOW LLM_DATA_EXFILTRATION — Environment Variable Access Combined with External Network Calls

The static analyzer flagged a cross-file exfiltration chain: setup_env.py reads/writes the OPENROUTER_API_KEY environment variable, and perplexity_search.py reads the same variable and passes it to LiteLLM which makes external network calls. While this is the intended and legitimate behavior of the skill (the API key is needed to authenticate with OpenRouter), it is worth noting that the API key is transmitted to an external service (openrouter.ai) on every query. This is expected behavior but represents a data flow that users should be aware of.
File: scripts/perplexity_search.py:68
Remediation: This is expected behavior. Ensure users understand their queries and API key are transmitted to OpenRouter/Perplexity. Document data privacy implications clearly. Consider adding a notice about query logging by third-party services.



🔵 LOW LLM_DATA_EXFILTRATION — API Key Written to .env File Without Gitignore Enforcement

The setup_env.py script writes the OpenRouter API key to a .env file on disk. While the SKILL.md documentation mentions adding .env to .gitignore, the script itself does not check for or create a .gitignore entry, nor does it warn the user if the .env file is in a git-tracked directory. This could lead to accidental credential exposure if the user commits the .env file.
File: scripts/setup_env.py:38
Remediation: After writing the .env file, check if the directory is a git repository and warn the user if .env is not in .gitignore. Optionally, automatically add .env to .gitignore.



🔵 LOW LLM_DATA_EXFILTRATION — API Key Passed via CLI Argument (Potential Exposure in Process List)

The setup_env.py script accepts the OpenRouter API key as a command-line argument (--api-key). On multi-user systems, command-line arguments are visible in the process list (e.g., via 'ps aux'), which could expose the API key to other users on the same machine. Additionally, the script echoes the raw API key in its 'Next steps' output, which could be captured in logs or terminal history.
File: scripts/setup_env.py:113
Remediation: Avoid accepting secrets as CLI arguments. Use interactive prompts (getpass module) or read from a file. Mask the key in any output. Ensure shell history is not recording the key.



phylogenetics — 🟡 MEDIUM



🔵 LOW LLM_DATA_EXFILTRATION — Missing License and Compatibility Metadata

The skill manifest does not specify a license or compatibility field. While not a direct security threat, missing provenance information reduces auditability and trust assessment of the skill package.
File: SKILL.md
Remediation: Add a valid SPDX license identifier (e.g., 'MIT', 'Apache-2.0') and specify compatibility (e.g., 'Claude.ai, Claude Code, API') in the YAML frontmatter.



🔵 LOW LLM_DATA_EXFILTRATION — Referenced Files Not Found (matplotlib.py, ete3.py)

The SKILL.md references two files (matplotlib.py and ete3.py) that are not present in the skill package. While these appear to be library references rather than actual local files, their absence creates ambiguity about the skill's actual dependencies and could indicate incomplete packaging.
File: SKILL.md
Remediation: Clarify whether these are intended as local files or external library references. If they are meant to be bundled files, include them in the package. If they are library imports, remove them from the referenced files list.



🔵 LOW LLM_UNAUTHORIZED_TOOL_USE — Missing allowed-tools Declaration

The skill does not declare an 'allowed-tools' field in its YAML manifest. While this field is optional per the spec, the skill executes Bash subprocesses (mafft, iqtree2, FastTree) and Python code. Declaring allowed tools improves transparency and enables runtime enforcement.
File: SKILL.md
Remediation: Add 'allowed-tools: [Bash, Python]' to the YAML frontmatter to explicitly declare the tools this skill requires.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Dependency Installation

The skill instructs users to install dependencies via conda and pip without version pinning. This creates a supply chain risk where a compromised or updated package version could introduce malicious behavior.
File: SKILL.md:18
Remediation: Pin dependency versions explicitly, e.g., 'pip install ete3==3.1.3' and use conda environment files with pinned versions to ensure reproducible and auditable installations.



🟡 MEDIUM MDBLOCK_PYTHON_SUBPROCESS — Python code block executes shell commands

Code block in SKILL.md at line 67 contains potentially dangerous Python code.
File: SKILL.md:67
Remediation: Review the code block for security implications.



🟡 MEDIUM MDBLOCK_PYTHON_SUBPROCESS — Python code block executes shell commands

Code block in SKILL.md at line 100 contains potentially dangerous Python code.
File: SKILL.md:100
Remediation: Review the code block for security implications.



🟡 MEDIUM MDBLOCK_PYTHON_SUBPROCESS — Python code block executes shell commands

Code block in SKILL.md at line 143 contains potentially dangerous Python code.
File: SKILL.md:143
Remediation: Review the code block for security implications.



🟡 MEDIUM MDBLOCK_PYTHON_SUBPROCESS — Python code block executes shell commands

Code block in SKILL.md at line 198 contains potentially dangerous Python code.
File: SKILL.md:198
Remediation: Review the code block for security implications.



🔵 LOW LLM_RESOURCE_ABUSE — Unbounded Bootstrap and Thread Parameters Without Validation

The script accepts user-controlled --bootstrap and --threads parameters that are passed directly to IQ-TREE and MAFFT without upper-bound validation. A user could specify extremely large values (e.g., --bootstrap 100000 --threads 9999) causing excessive resource consumption.
File: scripts/phylogenetic_analysis.py:155
Remediation: Add reasonable upper bounds for bootstrap replicates (e.g., max 10000) and thread count (e.g., max os.cpu_count()) with validation before passing to subprocess calls.



protocolsio-integration — 🟡 MEDIUM



🔵 LOW LLM_DATA_EXFILTRATION — Missing License and Provenance Metadata

The skill manifest does not specify a license (listed as 'Unknown') and does not specify compatibility. The skill-author is listed as 'K-Dense Inc.' but there is no version field or provenance information. This reduces auditability and makes it harder to assess trustworthiness of the skill package.
File: SKILL.md
Remediation: Add a valid SPDX license identifier, version number, and compatibility information to the YAML manifest. Ensure provenance is clearly documented.



🔵 LOW LLM_RESOURCE_ABUSE — Unbounded Retry Logic in Error Handling Example

The error handling example in SKILL.md implements retry logic with exponential backoff, but the retry loop only has a max_retries parameter of 3. While bounded, the pattern for server errors (HTTP 5xx) uses exponential backoff with 2 ** attempt sleep, which could cause delays. More importantly, the skill encourages implementing this pattern broadly without specifying maximum total wait time, which could cause agent hangs in automated workflows.
File: SKILL.md
Remediation: Add a maximum total timeout to the retry function. Document the maximum possible wait time. Add a timeout parameter to the requests.get call to prevent indefinite blocking.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Capability Description in Skill Manifest

The skill description is very broad, claiming to handle a wide range of operations including search, create, update, publish, manage steps/materials, handle discussions, organize workspaces, upload files, and integrate workflows. While this matches the actual documented functionality, the description is expansive enough to trigger the skill for a very wide range of scientific workflow queries, potentially leading to over-activation. The compatibility and allowed-tools fields are not specified, reducing transparency about the skill's operational scope.
File: SKILL.md
Remediation: Narrow the description to the most common use cases. Add allowed-tools and compatibility fields to the YAML manifest for transparency. Consider splitting into more focused sub-skills if the scope is too broad.



🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

Code block in SKILL.md at line 283 contains potentially dangerous Python code.
File: SKILL.md:283
Remediation: Review the code block for security implications.



🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

Code block in SKILL.md at line 310 contains potentially dangerous Python code.
File: SKILL.md:310
Remediation: Review the code block for security implications.



🔵 LOW LLM_DATA_EXFILTRATION — Token Handling Guidance May Encourage Insecure Practices

The skill instructions and reference files repeatedly use placeholder tokens like 'YOUR_ACCESS_TOKEN' in example code snippets. While the best practices section advises against storing tokens in code, the numerous inline examples with hardcoded placeholder patterns could normalize the practice of embedding tokens directly in code. The OAuth flow documentation also handles client_secret in request parameters, which could be misused.
File: references/authentication.md
Remediation: Add explicit warnings in all code examples that tokens must never be hardcoded. Reference environment variable or secrets manager patterns in all examples rather than placeholder strings.



pufferlib — 🟡 MEDIUM



🔵 LOW LLM_DATA_EXFILTRATION — Multiple Referenced Files Not Found in Skill Package

The SKILL.md instructions reference numerous files that do not exist in the skill package: torch.py, gymnasium.py, pufferlib.py, assets/training.md, assets/environments.md, assets/vectorization.md, assets/policies.md, assets/integration.md, templates/environments.md, templates/policies.md, templates/integration.md, templates/training.md, templates/vectorization.md. If an agent attempts to read these missing files from user-controlled or external locations, it could be directed to load malicious content. Additionally, the presence of stub filenames like torch.py and gymnasium.py in the referenced list could shadow legitimate installed packages if the agent resolves them relative to the skill directory.
File: SKILL.md
Remediation: Remove references to non-existent files from the instructions, or include the files in the skill package. Ensure that stub filenames like torch.py and gymnasium.py are not present in the skill directory to avoid shadowing installed Python packages.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Manifest Field

The SKILL.md manifest does not declare an allowed-tools field. While this field is optional per the spec, its absence means there are no declared restrictions on what agent tools this skill may use. The skill executes Python scripts that perform file I/O, network calls (via WandB/Neptune 
992E
loggers), and subprocess-level operations (torchrun distributed training). Declaring allowed-tools would improve transparency and help agents enforce least-privilege.
File: SKILL.md
Remediation: Add an explicit allowed-tools field to the YAML frontmatter listing the tools actually needed, e.g., allowed-tools: [Python, Bash]. This improves security posture and agent trust decisions.



🔵 LOW LLM_DATA_EXFILTRATION — Neptune API Token Stored in Logger Configuration Dictionary

When the Neptune logger is initialized, the API token is passed directly into the logger and also serialized into the config dictionary via config=vars(args). This means the token may be logged to experiment tracking systems (WandB, Neptune) or written to checkpoint metadata, potentially exposing it in logs or remote systems.
File: scripts/train_template.py:107
Remediation: Exclude sensitive fields like neptune_token from the config dictionary before passing to loggers. Use a filtered copy: safe_config = {k: v for k, v in vars(args).items() if 'token' not in k}.



🟡 MEDIUM LLM_DATA_EXFILTRATION — Neptune API Token Passed via Command-Line Argument

The training template script accepts a Neptune API token as a plain command-line argument (--neptune-token). Command-line arguments are visible in process listings (e.g., ps aux), shell history, and system logs. This exposes the API token to any user or process that can read process information on the system.
File: scripts/train_template.py:176
Remediation: Use environment variables or a secrets manager to pass API tokens. For example, read the token from os.environ.get('NEPTUNE_API_TOKEN') rather than accepting it as a CLI argument. Document this in the skill instructions.



pymatgen — 🟡 MEDIUM



🔵 LOW LLM_DATA_EXFILTRATION — API Key Exposed in Instruction Examples

The SKILL.md instructions contain placeholder API key examples such as export MP_API_KEY="your_api_key_here" and with MPRester("your_api_key_here") as mpr:. While these are placeholders and not real secrets, the instructions normalize passing API keys as string literals in code, which could encourage users to hardcode real API keys. The references/materials_project_api.md also shows explicit API key passing: with MPRester("your_api_key_here") as mpr:. This is a documentation/guidance concern rather than an active exfiltration threat.
File: SKILL.md
Remediation: Remove all examples showing API keys passed as string literals. Only show the environment variable approach. Add explicit warnings against hardcoding API keys in code.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing Compatibility and Allowed-Tools Metadata

The SKILL.md manifest does not specify the compatibility or allowed-tools fields. The skill executes Python scripts (structure_analyzer.py, phase_diagram_generator.py, structure_converter.py) that perform file I/O, network calls to the Materials Project API, and write output files. Without declared allowed-tools, the agent's tool usage is unconstrained by the manifest. This is an informational finding per the spec (allowed-tools is optional), but the absence of compatibility information means users cannot easily assess where the skill can be safely deployed.
File: SKILL.md
Remediation: Add allowed-tools: [Python, Bash, Read, Write] and compatibility: Claude Code, API to the YAML frontmatter to make the skill's requirements explicit.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Dependencies

The SKILL.md installation instructions use unpinned package versions: uv pip install pymatgen, uv pip install pymatgen mp-api, uv pip install pymatgen[analysis], etc. No version pins are specified. This means the skill could install any future version of pymatgen or mp-api, including potentially compromised versions. The skill does specify minimum version requirements in prose (pymatgen >= 2023.x, Python 3.10+) but does not enforce these in installation commands.
File: SKILL.md
Remediation: Pin package versions in installation instructions, e.g., uv pip install pymatgen==2024.x.x mp-api==0.x.x. Consider providing a requirements.txt or pyproject.toml with pinned dependencies.



🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

Script iterates through environment variables in scientific-skills/pymatgen/scripts/phase_diagram_generator.py
File: scientific-skills/pymatgen/scripts/phase_diagram_generator.py
Remediation: Remove environment variable collection unless explicitly required and documented



🔵 LOW LLM_DATA_EXFILTRATION — Environment Variable Access Combined with Network Calls

The phase_diagram_generator.py script reads the MP_API_KEY environment variable via os.environ.get('MP_API_KEY') and then passes it directly to MPRester for network calls to the Materials Project API. While this is the intended and documented behavior for this legitimate materials science tool, the static analyzer flagged this pattern as a potential env var exfiltration chain. In this context, the behavior is expected and benign: the API key is used solely to authenticate with the official Materials Project API (materialsproject.org), not sent to any suspicious third-party endpoint. No other environment variables are harvested.
File: scripts/phase_diagram_generator.py
Remediation: This is expected behavior for the Materials Project integration. No remediation required. Consider adding a comment in the code clarifying that the API key is only used for the official Materials Project API to make intent explicit.



statsmodels — 🟡 MEDIUM



🟡 MEDIUM LLM_DATA_EXFILTRATION — Multiple Referenced Script Files Not Found in Package

The skill references several Python script files (statsmodels.py, matplotlib.py, sklearn.py, scipy.py) and multiple template/asset markdown files that are not present in the package. The static pre-scan flagged cross-file exfiltration chains across 3 files and environment variable exfiltration with network calls. While the found reference files (references/*.md) appear benign, the missing files cannot be audited. If these files exist at runtime and contain malicious code (e.g., env var harvesting + network exfiltration as flagged by static analysis), they would pose a critical risk. The absence of these files from the provided package prevents full security verification.
File: SKILL.md
Remediation: Ensure all referenced files are included in the skill package for auditing. Investigate the flagged behaviors (env var access + network calls across 3 files) in the missing scripts. If these scripts are wrappers or helpers, review them for data exfiltration patterns before deployment.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Metadata

The skill does not declare an 'allowed-tools' field in its YAML manifest. While this is optional per the agent skills spec, it means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) can be invoked. Given the skill's broad statistical modeling scope, documenting intended tool usage would improve transparency.
File: SKILL.md
Remediation: Add an 'allowed-tools' field to the YAML frontmatter specifying which tools are needed, e.g., allowed-tools: [Python, Read].



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing Compatibility Metadata

The skill does not declare a 'compatibility' field in its YAML manifest. This is informational but reduces transparency about where the skill is intended to operate.
File: SKILL.md
Remediation: Add a 'compatibility' field to the YAML frontmatter, e.g., compatibility: Works in Claude.ai, Claude Code, API.



vaex — 🟡 MEDIUM



🟡 MEDIUM LLM_DATA_EXFILTRATION — Static Analyzer Flags Cross-File Exfiltration Chain and Environment Variable Exfiltration

The pre-scan static analysis flagged BEHAVIOR_ENV_VAR_EXFILTRATION (environment variable access combined with network calls) and BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN (cross-file exfiltration chain across 2 files) and BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION. However, the provided skill content (SKILL.md and all referenced markdown files) contains no Python or Bash scripts with such behavior — the referenced 'vaex.py' file was not found. The static analyzer detected 6 Python files in the inventory but none were provided for review. This discrepancy is a significant concern: there may be unrevealed Python scripts in the skill package that perform environment variable harvesting and network exfiltration that were not included in the analysis input.
File: SKILL.md
Remediation: Obtain and review all 6 Python files flagged by the static analyzer. Specifically inspect vaex.py and any co-located scripts for environment variable reads (os.environ, os.getenv) combined with outbound network calls (requests, urllib, socket, subprocess). Remove any such patterns or justify their necessity with explicit user consent flows.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Metadata

The skill does not specify the 'allowed-tools' field in its YAML manifest. While this field is optional per the agent skills spec, its absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) can be invoked. Given the skill's scope involves file I/O and data processing, documenting allowed tools would improve transparency.
File: SKILL.md
Remediation: Add an explicit 'allowed-tools' field to the YAML frontmatter listing the tools the skill requires, e.g., allowed-tools: [Read, Write, Python].



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing Compatibility Metadata

The skill does not specify the 'compatibility' field in its YAML manifest. This is a minor documentation gap that reduces transparency about where the skill is intended to operate.
File: SKILL.md
Remediation: Add a 'compatibility' field to the YAML frontmatter specifying supported environments, e.g., compatibility: Works in Claude.ai, Claude Code, API.



xlsx — 🟡 MEDIUM



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Overly Broad Skill Activation Description

The skill description is extremely broad and contains extensive keyword enumeration designed to maximize activation across a wide range of user requests involving spreadsheets. Phrases like 'trigger especially when the user references a spreadsheet file by name or path — even casually' and the long list of file types and operations (.xlsx, .xlsm, .csv, .tsv) combined with explicit activation guidance ('Also trigger for cleaning or restructuring...') constitute keyword baiting and over-broad capability claims that could cause the skill to activate in unintended contexts.
File: SKILL.md
Remediation: Narrow the description to clearly describe what the skill does functionally rather than providing extensive activation trigger guidance. Activation logic should be handled by the agent framework, not embedded in the skill description as keyword bait.



🟡 MEDIUM LLM_COMMAND_INJECTION — Dynamic Compilation and LD_PRELOAD Injection of Native Shared Library

The soffice.py script dynamically compiles a C source file (_SHIM_SOURCE) into a shared library (lo_socket_shim.so) in the system temp directory and then injects it into LibreOffice via LD_PRELOAD. While the C source is hardcoded in the script and the stated purpose is to work around AF_UNIX socket restrictions in sandboxed environments, this pattern is inherently dangerous: (1) it writes executable native code to a world-writable temp directory, (2) it uses LD_PRELOAD to intercept system calls (socket, listen, accept, close, read) in a child process, and (3) if the temp directory or the script itself were compromised (e.g., via a supply-chain attack or path traversal), an attacker could substitute malicious code. The shim intercepts low-level socket and file descriptor operations, giving it broad access to LibreOffice's I/O.
File: scripts/office/soffice.py
Remediation: 1. Use a fixed, non-world-writable directory for the compiled shim (e.g., within the skill package directory). 2. Verify the integrity of the compiled .so before use (e.g., hash check). 3. Check whether the .so already exists before trusting it (currently done, but the existing file is trusted unconditionally). 4. Consider an alternative approach that does not require runtime native code compilation and LD_PRELOAD injection.



🔵 LOW LLM_DATA_EXFILTRATION — Environment Variable Access in soffice.py

The soffice.py helper calls os.environ.copy() to build an environment dictionary that is passed to subprocess calls running LibreOffice. While this is a common and generally legitimate pattern for propagating the environment to child processes, it means the full process environment (which may contain secrets, API keys, tokens, or other sensitive values) is copied and forwarded to the soffice subprocess. The static analyzer flagged this as a potential env-var exfiltration chain across files (soffice.py → recalc.py). In practice, the environment is passed to a local LibreOffice process rather than an external server, so the risk is low, but it is worth noting.
File: scripts/office/soffice.py
Remediation: Consider passing only the specific environment variables required by LibreOffice rather than copying the entire environment. Use an allowlist of known-safe variables (PATH, HOME, DISPLAY, etc.) instead of os.environ.copy().



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Missing Version Pins on Implicit Dependencies

The skill's scripts import several third-party libraries (openpyxl, defusedxml, lxml, pandas) without any version pinning visible in the skill package. There is no requirements.txt or pyproject.toml included in the analyzed files. Unpinned dependencies are vulnerable to supply-chain attacks where a malicious version of a package could be installed. Additionally, the referenced file 'openpyxl.py' was not found, which may indicate a missing or misreferenced dependency shim.
File: scripts/recalc.py
Remediation: Add a requirements.txt or pyproject.toml with pinned versions for all dependencies (e.g., openpyxl==3.1.2, lxml==5.2.1, defusedxml==0.7.1, pandas==2.2.2). Verify the missing openpyxl.py reference is intentional or remove it from the instructions.



adaptyv — 🔵 LOW



🔵 LOW LLM_DATA_EXFILTRATION — Missing License and Compatibility Metadata

The skill does not specify a license or compatibility field in the YAML manifest. While this is informational and low severity per the spec, the absence of provenance metadata (license) reduces auditability and trust assessment of the skill package. The author is listed as 'K-Dense, Inc.' but no version is specified either.
File: SKILL.md
Remediation: Add license, compatibility, and version fields to the YAML manifest to improve transparency and auditability.



🔵 LOW LLM_PROMPT_INJECTION — Referenced File 'adaptyv.py' Not Found in Package

The skill references an adaptyv.py file in its instructions, but this file was not found in the skill package. If this file is expected to be user-provided or fetched from an external source, it could introduce indirect prompt injection or malicious code execution risks. The missing file also reduces the skill's reliability.
File: SKILL.md
Remediation: Ensure all referenced files are bundled within the skill package. If adaptyv.py is user-provided, add explicit validation and sandboxing guidance. Document clearly whether this file is internal or external.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Skill Activation Triggers in Description

The skill description includes an extensive list of activation triggers covering multiple import patterns, domain references, and keyword combinations. While not overtly malicious, this broad activation scope could cause the skill to activate in contexts beyond its intended use, potentially intercepting conversations that only tangentially relate to Adaptyv Bio services.
File: SKILL.md
Remediation: Narrow the activation triggers to the most specific and necessary keywords. Avoid triggering on generic code import patterns that could match unrelated contexts.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned SDK Dependency Installation

The skill instructs installation of the adaptyv-sdk package without a pinned version. This creates a supply chain risk where a compromised or malicious version of the package could be installed. The fallback command also lacks version pinning.
File: SKILL.md
Remediation: Pin the SDK to a specific known-good version, e.g., uv add adaptyv-sdk==1.2.3. Document the expected version and provide a hash or checksum if possible.



arboreto — 🔵 LOW



🔵 LOW LLM_DATA_EXFILTRATION — Several Referenced Files Not Found in Package

Multiple files referenced in the SKILL.md instructions are not present in the skill package (arboreto.py, assets/distributed_computing.md, assets/basic_inference.md, templates/basic_inference.md, assets/algorithms.md, templates/algorithms.md, templates/distributed_computing.md, distributed.py). While this is not a direct security threat, missing files could cause the agent to search for or load files from unexpected locations, or could indicate an incomplete/tampered package.
File: SKILL.md
Remediation: Ensure all referenced files are included in the skill package. Remove references to files that do not exist, or add the missing files to the package.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Manifest Field

The SKILL.md manifest does not specify the 'allowed-tools' field. While this field is optional per the agent skills spec, its absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) this skill may use. The skill executes Python scripts and Bash commands, so documenting this would improve transparency.
File: SKILL.md
Remediation: Add an explicit 'allowed-tools' field to the YAML frontmatter, e.g., 'allowed-tools: [Python, Bash, Read, Write]', to document the intended tool usage scope.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing Compatibility Field in Manifest

The SKILL.md manifest does not specify the 'compatibility' field. This reduces transparency about which environments the skill is intended to run in, making it harder for users to assess deployment risk.
File: SKILL.md
Remediation: Add a 'compatibility' field to the YAML frontmatter specifying supported environments (e.g., 'compatibility: Works in Claude.ai, Claude Code, API').



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Dependency Installation

The skill instructs users to install the 'arboreto' package without pinning a specific version. This exposes users to supply chain risks if the package is compromised or a malicious version is published. The same applies to transitive dependencies (scipy, scikit-learn, numpy, pandas, dask, distributed) which are also unpinned.
File: SKILL.md
Remediation: Pin the arboreto package to a specific known-good version, e.g., 'uv pip install arboreto==0.1.6'. Consider providing a requirements.txt or pyproject.toml with pinned versions for all dependencies.



benchling-integration — 🔵 LOW



🔵 LOW LLM_DATA_EXFILTRATION — Missing License Information

The skill manifest declares 'license: Unknown', which provides no clarity on the terms under which this skill can be used or distributed. While not a direct security threat, unknown licensing can create compliance risks in enterprise environments handling sensitive biological research data.
File: SKILL.md
Remediation: Specify a valid open-source license (e.g., MIT, Apache 2.0) or a proprietary license identifier in the manifest frontmatter.



🔵 LOW LLM_DATA_EXFILTRATION — Referenced Files Not Found in Package

Several files referenced in the skill instructions are not present in the skill package: templates/authentication.md, benchling_sdk.py, assets/sdk_reference.md, templates/sdk_reference.md, Bio.py, assets/authentication.md. The absence of these files means the agent may attempt to locate or load them from unexpected locations, or the skill may behave unpredictably when these references are followed. The Bio.py reference is particularly notable as it shadows the well-known BioPython library name.
File: SKILL.md
Remediation: Ensure all referenced files are included in the skill package, or remove references to non-existent files. Rename any files that shadow well-known library names (e.g., Bio.py shadows BioPython's Bio module).



🔵 LOW LLM_UNAUTHORIZED_TOOL_USE — Missing allowed-tools Declaration

The skill manifest does not specify an 'allowed-tools' field. While this field is optional per the agent skills spec, its absence means there are no declared restrictions on which agent tools this skill may invoke. Given that this skill interacts with external APIs and handles sensitive lab data (biological sequences, credentials), declaring tool restrictions would improve the security posture.
File: SKILL.md
Remediation: Add an explicit 'allowed-tools' declaration to the SKILL.md manifest to limit the skill to only the tools it requires (e.g., Python, Bash if needed).



biopython — 🔵 LOW



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing License Information

The skill manifest declares 'license: Unknown', which provides no provenance information for users or organizations evaluating the skill for deployment. This is a minor metadata quality issue but could affect trust decisions.
File: SKILL.md
Remediation: Specify an appropriate open-source license (e.g., MIT, Apache 2.0) or the actual license under which the skill is distributed.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing Compatibility and Allowed-Tools Metadata

The skill does not specify 'compatibility' or 'allowed-tools' fields in the YAML manifest. While these are optional per the spec, their absence means there are no declared restrictions on tool usage, and users cannot easily assess where the skill is intended to run. This is informational only.
File: SKILL.md
Remediation: Add 'compatibility' and 'allowed-tools' fields to the manifest to improve transparency and allow runtime enforcement of tool restrictions.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation Instruction

The SKILL.md instructs users to install biopython without a pinned version: 'uv pip install biopython'. This could result in installation of a future compromised or breaking version of the package. Supply chain risk is low but present.
File: SKILL.md:44
Remediation: Pin the version explicitly, e.g., 'uv pip install biopython==1.85', consistent with the documented version (1.85) mentioned in the skill overview.



🔵 LOW LLM_DATA_EXFILTRATION — API Key Placeholder in Documentation Examples

The SKILL.md includes a code example showing 'Entrez.api_key = "your_api_key_here"'. While this is clearly a placeholder and not a hardcoded secret, it normalizes placing API keys directly in code. If users follow this pattern literally in scripts, they may inadvertently commit credentials to version control.
File: SKILL.md:49
Remediation: Update the example to demonstrate reading the API key from an environment variable (e.g., os.environ.get('NCBI_API_KEY')) rather than hardcoding it, to promote secure credential handling practices.



bioservices — 🔵 LOW



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Manifest Field

The SKILL.md manifest does not specify the 'allowed-tools' field. While this field is optional per the agent skills spec, its absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) can be used. The skill executes Python scripts and writes files to disk, so documenting this would improve transparency.
File: SKILL.md
Remediation: Add 'allowed-tools: [Python, Bash]' to the YAML frontmatter to explicitly declare the tools this skill uses, improving transparency and enabling tool restriction enforcement.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing Compatibility Field in Manifest

The SKILL.md manifest does not specify the 'compatibility' field. The skill makes extensive network calls to external bioinformatics APIs (UniProt, KEGG, NCBI BLAST, PSICQUIC, ChEMBL, etc.), which requires network access. Documenting compatibility and network requirements would help users understand the skill's dependencies.
File: SKILL.md
Remediation: Add a compatibility field documenting network requirements and supported environments (e.g., 'Requires internet access for bioinformatics API calls').



cellxgene-census — 🔵 LOW



🔵 LOW LLM_PROMPT_INJECTION — Multiple Referenced Files Not Found in Skill Package

The SKILL.md references several files that are not present in the skill package: tiledbsoma.py, assets/census_schema.md, assets/common_patterns.md, templates/common_patterns.md, scanpy.py, cellxgene_census.py, templates/census_schema.md. While the two primary reference files (references/census_schema.md and references/common_patterns.md) are present, the missing files could represent an incomplete package or could be resolved at runtime from external or user-provided sources, introducing indirect injection risk if those files are later populated with untrusted content.
File: SKILL.md
Remediation: Ensure all referenced files are bundled within the skill package. Remove references to files that do not exist or are not needed. Do not allow missing reference files to be sourced from external or user-provi
7292
ded locations.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing License and Compatibility Metadata

The skill manifest does not specify a license or compatibility field. While these are optional fields, their absence reduces transparency about the skill's intended usage scope and supported environments. The skill-author is listed as 'K-Dense Inc.' but no license is provided.
File: SKILL.md
Remediation: Add a license field (e.g., 'license: MIT') and a compatibility field specifying supported environments to the YAML frontmatter.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation Without Version Constraints

The skill instructs installation of 'cellxgene-census' and 'cellxgene-census[experimental]' without specifying version pins. This creates a supply chain risk where a compromised or malicious future version of the package could be installed, potentially introducing malicious behavior.
File: SKILL.md
Remediation: Pin package versions explicitly, e.g., 'uv pip install cellxgene-census==1.12.3'. Specify exact versions for all dependencies to ensure reproducibility and reduce supply chain risk.



deeptools — 🔵 LOW



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Metadata

The skill does not specify the 'allowed-tools' field in its YAML manifest. While this is optional per the agent skills spec, documenting which tools are used (Bash, Python, Read, Write) would improve transparency and allow agents to enforce capability restrictions.
File: SKILL.md
Remediation: Add 'allowed-tools: [Bash, Python, Read, Write]' to the YAML frontmatter to explicitly declare the tools this skill requires.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing Compatibility Metadata

The skill does not specify the 'compatibility' field in its YAML manifest. This makes it unclear which agent environments or platforms the skill is designed to work with.
File: SKILL.md
Remediation: Add a 'compatibility' field to the YAML frontmatter specifying supported environments (e.g., 'Claude.ai, Claude Code, API').



docx — 🔵 LOW



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Overly Broad Skill Activation Description

The skill description contains an extensive list of trigger keywords and document types designed to maximize activation across a wide range of user requests. While the triggers are relevant to the skill's legitimate purpose (DOCX manipulation), the description is unusually comprehensive and includes many synonyms and use cases that could cause the skill to activate more broadly than necessary.
File: SKILL.md
Remediation: Consider trimming the description to core triggers only. The current description is functionally appropriate but errs toward over-broad activation guidance.



🔵 LOW LLM_UNAUTHORIZED_TOOL_USE — Missing allowed-tools Declaration in Manifest

The SKILL.md manifest does not declare an allowed-tools field. The skill uses Bash commands (pandoc, soffice, pdftoppm, npm) and Python scripts extensively. While omission of allowed-tools is permitted per the spec, declaring it would improve transparency about what system capabilities this skill requires.
File: SKILL.md
Remediation: Add an explicit allowed-tools declaration to the YAML frontmatter, e.g.: allowed-tools: [Bash, Python, Read, Write]



🔵 LOW LLM_COMMAND_INJECTION — Dynamic Compilation and LD_PRELOAD Injection via soffice.py

The soffice.py script dynamically compiles a C source file using gcc and loads the resulting shared library via LD_PRELOAD. While the C source (_SHIM_SOURCE) is hardcoded within the script and appears to be a legitimate socket shim for sandboxed LibreOffice environments, this pattern (runtime compilation + LD_PRELOAD) is a powerful code injection mechanism. If the script or its environment were compromised, this could be used to inject arbitrary native code into LibreOffice processes.
File: scripts/office/soffice.py
Remediation: The shim source is hardcoded and the purpose is legitimate (AF_UNIX socket workaround for sandboxed VMs). Consider shipping the pre-compiled .so file with the skill package instead of compiling at runtime, to eliminate the runtime compilation step and reduce attack surface.



🔵 LOW LLM_DATA_EXFILTRATION — Environment Variable Access in soffice.py

The soffice.py helper calls os.environ.copy() to build an environment dictionary that is passed to subprocess calls running LibreOffice. While this is a common and generally legitimate pattern for subprocess execution, it copies the entire process environment (which may include secrets, tokens, API keys, etc.) and passes it to an external process. The static analyzer flagged this as part of a cross-file exfiltration chain. In context, this appears to be legitimate LibreOffice invocation rather than malicious exfiltration, but the pattern warrants noting.
File: scripts/office/soffice.py
Remediation: This appears to be legitimate behavior for LibreOffice subprocess invocation. Consider filtering the environment to only pass necessary variables rather than the full environment copy, to reduce the risk of inadvertently exposing secrets to the subprocess.



etetoolkit — 🔵 LOW



🔵 LOW LLM_DATA_EXFILTRATION — NCBI Taxonomy Database Download to Home Directory

The skill automatically downloads the NCBI taxonomy database (~300MB) to ~/.etetoolkit/taxa.sqlite on first use of NCBITaxa. While this is standard behavior for the ete3 library and is clearly documented, users should be aware that this involves an automatic network download to their home directory without explicit per-invocation confirmation.
File: SKILL.md
Remediation: The SKILL.md documentation already discloses this behavior. Consider adding an explicit user confirmation step before invoking NCBITaxa for the first time, or checking whether the database already exists before triggering a download.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools and Compatibility Metadata

The skill manifest does not specify 'allowed-tools' or 'compatibility' fields. While these are optional per the agent skills specification, their absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) this skill may use. The skill does use Python execution, file I/O, and network access (NCBI taxonomy download), so declaring these capabilities would improve transparency.
File: SKILL.md
Remediation: Add 'allowed-tools: [Python, Bash, Read, Write]' and a 'compatibility' field to the YAML frontmatter to clearly declare the skill's tool requirements and intended runtime environments.



🔵 LOW LLM_COMMAND_INJECTION — Python eval/exec Usage Flagged by Static Analyzer

The static pre-scan flagged a potential eval/exec usage in a Python code block within the skill's markdown documentation. After thorough review of all script files (scripts/tree_operations.py and scripts/quick_visualize.py) and all referenced markdown files, no actual eval() or exec() calls were found in executable code. The flagged instance appears to be within documentation/example code blocks in the reference markdown files, not in executable scripts. No command injection risk was identified in the actual runnable code.
File: references/workflows.md
Remediation: No action required. The skill's executable scripts do not use eval/exec. If documentation examples are updated in the future, ensure they do not demonstrate unsafe patterns without appropriate warnings.



flowio — 🔵 LOW



🔵 LOW LLM_COMMAND_INJECTION — Python eval/exec Usage in Code Examples

The static analyzer flagged a potential eval/exec usage in the Python code blocks within the skill documentation. Reviewing the content, the code examples in SKILL.md and references/api_reference.md do not contain explicit eval() or exec() calls. The flag may be a false positive from the static analyzer detecting patterns in documentation code blocks. However, the skill instructs the agent to execute Python code that reads and writes FCS files, which involves binary file parsing. No direct eval/exec injection risk is present in the documented examples.
File: SKILL.md
Remediation: Verify the static analyzer finding. If eval/exec is present in any bundled script (flowio.py was referenced but not found), review it carefully for command injection risks. Ensure user-supplied file paths are validated before being passed to FlowData().



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation

The skill instructs installation of the 'flowio' package without a pinned version number. This creates a supply chain risk where a future compromised or malicious version of the package could be installed.
File: SKILL.md
Remediation: Pin the package to a specific known-good version, e.g., 'uv pip install flowio==0.9.0' or equivalent, and verify the package hash/provenance.



🔵 LOW LLM_DATA_EXFILTRATION — Missing allowed-tools Declaration

The skill does not declare an allowed-tools field in its YAML manifest. The skill instructs the agent to execute Python code for reading/writing FCS files, installing packages via 'uv pip install flowio', and performing file I/O operations. Without an explicit allowed-tools declaration, there is no manifest-level constraint on what tools the agent may use.
File: SKILL.md:1
Remediation: Add an explicit allowed-tools field to the YAML manifest, e.g., allowed-tools: [Python, Bash] to document the intended tool scope and enable enforcement.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing Compatibility Field

The skill does not specify a compatibility field in its YAML manifest. While this is a minor documentation issue, it reduces transparency about the environments in which the skill is intended to operate.
File: SKILL.md:1
Remediation: Add a compatibility field to the YAML manifest to document supported environments (e.g., Claude.ai, Claude Code, API).



fluidsim — 🔵 LOW



🔵 LOW LLM_DATA_EXFILTRATION — Multiple Missing Referenced Files

The skill references numerous files that do not exist in the package (assets/output_analysis.md, assets/installation.md, templates/solvers.md, templates/installation.md, templates/output_analysis.md, templates/advanced_features.md, templates/parameters.md, assets/simulation_workflow.md, templates/simulation_workflow.md, fluidsim.py, assets/solvers.md, assets/advanced_features.md, assets/parameters.md). While this is primarily a documentation/completeness issue, missing files could cause the agent to seek external sources to fulfill instructions, potentially exposing it to indirect prompt injection from untrusted external content.
File: SKILL.md
Remediation: Include all referenced files within the skill package, or remove references to non-existent files. Ensure the skill is self-contained to prevent the agent from seeking external resources.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Declaration

The skill manifest does not declare an allowed-tools field. The skill instructs the agent to install packages via uv pip install, execute bash commands (mpirun, pytest, paraview), and run Python simulations. Without an explicit allowed-tools declaration, the agent's tool usage boundaries are undefined, potentially allowing broader tool access than necessary for the stated purpose.
File: SKILL.md
Remediation: Add an explicit allowed-tools field to the YAML frontmatter specifying the minimum required tools, e.g., allowed-tools: [Bash, Python, Read, Write]. This limits the agent's tool surface to what is actually needed.



🔵 LOW LLM_COMMAND_INJECTION — Python eval/exec Pattern in Code Examples

The static analyzer flagged a Python code block using eval/exec patterns. Reviewing the skill content, the code examples in the referenced files use standard Python constructs for simulation (e.g., lambda functions in advanced_features.md: sim.forcing.forcing_maker.compute_forcing_fft = lambda: compute_forcing_fft(sim)). While this is a dynamic function assignment rather than eval/exec, it could allow arbitrary code execution if user-controlled input flows into the forcing function. However, in context this appears to be legitimate scientific computing usage with no direct user input injection path identified.
File: references/advanced_features.md
Remediation: Ensure that any user-provided parameters passed to custom forcing functions or initial condition scripts are validated before use. Avoid passing unsanitized user input into dynamically assigned functions.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation Instructions

The skill instructs installation of fluidsim and its dependencies without version pinning. Commands like uv pip install fluidsim, uv pip install "fluidsim[fft]", and uv pip install "fluidsim[fft,mpi]" do not specify exact versions. This exposes the environment to supply chain risks if the upstream package is compromised or if a malicious version is published.
File: references/installation.md
Remediation: Pin package versions explicitly, e.g., uv pip install "fluidsim==0.7.3[fft]". Consider using a lockfile or hash verification to ensure package integrity.



generate-image — 🔵 LOW



🔵 LOW LLM_DATA_EXFILTRATION — .env File Traversal Up Directory Tree May Expose Keys from Parent Directories

The check_env_file() function searches for a .env file not only in the current working directory but also in all parent directories up to the filesystem root. This means if a user runs the script from a subdirectory of a project that has a .env file at a higher level (e.g., home directory), that key will be silently used. This could lead to unintended use of credentials from unrelated projects or sensitive parent directories.
File: scripts/generate_image.py:22
Remediation: Limit .env file search to the current working directory only, or at most one level up. Alternatively, prefer os.environ.get('OPENROUTER_API_KEY') as the primary lookup method, which is the standard approach and avoids unintended credential discovery.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Third-Party Dependency (requests)

The script imports the requests library without any version pinning or integrity verification. There is no requirements.txt or setup.py included in the skill package. An attacker who can influence the Python environment (e.g., via a compromised package index or typosquatting) could substitute a malicious version of requests that intercepts API keys or image data.
File: scripts/generate_image.py:108
Remediation: Include a requirements.txt with a pinned version (e.g., requests==2.32.3) and ideally a hash check. Document the expected version in the skill manifest.



🔵 LOW LLM_DATA_EXFILTRATION — API Key Passed via Command-Line Argument

The script accepts the OpenRouter API key via a --api-key command-line argument. On multi-user systems, command-line arguments are visible in process listings (e.g., ps aux), which could expose the API key to other users on the same machine. The .env file fallback is safer, but the CLI option introduces a risk.
File: scripts/generate_image.py:270
Remediation: Remove the --api-key CLI argument or document the risk. Encourage users to rely exclusively on the .env file or environment variable (os.environ) for API key configuration, which avoids process-list exposure.



geniml — 🔵 LOW



🔵 LOW LLM_DATA_EXFILTRATION — Network Access to External Services Not Disclosed in Manifest

The skill instructions and reference files describe workflows that involve network access to external services including Hugging Face (for pre-trained model downloads), BEDbase repositories (via BBClient), GitHub (for package installation), and the StarSpace external dependency. These network operations are not disclosed in the manifest description or compatibility field. While the operations appear legitimate for the stated purpose, the lack of disclosure means users may not be aware their agent will make outbound network connections.
File: SKILL.md
Remediation: Document network access requirements in the manifest description or compatibility field. Inform users that the skill will make outbound connections to Hugging Face, BEDbase, and GitHub as part of normal operation.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools and Compatibility Metadata

The SKILL.md manifest does not specify 'allowed-tools' or 'compatibility' fields. While these are optional per the spec, their absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) this skill may invoke. Given that the skill instructs the agent to run bash commands, execute Python code, write files, and make network calls (to Hugging Face, BEDbase, GitHub), the lack of declared tool restrictions reduces transparency about the skill's actual capability footprint.
File: SKILL.md
Remediation: Add 'allowed-tools: [Bash, Python, Read, Write]' to the YAML frontmatter to explicitly declare the tools this skill requires, improving transparency and enabling enforcement of least-privilege tool access.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation Without Version Constraints

The SKILL.md installation instructions use 'uv pip install geniml' and 'uv pip install geniml[ml]' without pinning to a specific version. Additionally, a direct GitHub install from 'git+https://github.com/databio/geniml.git' is provided as an option. Unpinned installations are vulnerable to supply chain attacks where a compromised or malicious package version could be installed. The GitHub install from HEAD is particularly risky as it bypasses any release vetting process.
File: SKILL.md
Remediation: Pin package versions explicitly (e.g., 'geniml==0.4.0'). Avoid direct GitHub HEAD installs in production; if needed, pin to a specific commit hash (e.g., 'git+https://github.com/databio/geniml.git@<commit_sha>'). Consider using a lockfile for reproducible environments.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — External Dependency on StarSpace Without Version Pinning

The BEDspace workflow requires StarSpace, an external Facebook Research tool installed separately from an external GitHub repository (https://github.com/facebookresearch/StarSpace). No version is specified. This introduces a supply chain dependency on an external project that is not under the skill author's control, and the lack of version pinning means behavior could change unexpectedly.
File: references/bedspace.md
Remediation: Specify a pinned version or commit hash for StarSpace. Document the expected version in the skill manifest. Consider adding integrity verification steps.



geopandas — 🔵 LOW



🔵 LOW LLM_COMMAND_INJECTION — Python eval/exec Usage in Code Examples

Static analysis flagged eval/exec usage in Python code blocks within the markdown documentation. Reviewing the content, the flagged patterns appear to be within legitimate GeoPandas code examples (e.g., affine_transform, or similar). No actual malicious eval/exec with user-controlled input was found in the reviewed content, but the static scanner detected these patterns. The skill contains no executable Python scripts, only documentation code blocks.
File: SKILL.md
Remediation: Review the specific code blocks flagged by the static analyzer to confirm no eval/exec with unsanitized user input is present. If these are purely illustrative examples, they pose no direct risk since there are no executable scripts in this skill package.



🔵 LOW LLM_DATA_EXFILTRATION — PostGIS Connection String with Credentials in Documentation Examples

The data-io.md reference file includes example code showing database connection strings with plaintext credentials (user:password@host:port/database). While this is documentation/example code and not executable, users following these examples may hardcode credentials in their scripts.
File: references/data-io.md
Remediation: Update documentation examples to use environment variables or configuration files for credentials rather than inline plaintext. Example: create_engine(f'postgresql://{os.environ["DB_USER"]}:{os.environ["DB_PASS"]}@host/db')



🔵 LOW LLM_DATA_EXFILTRATION — Remote URL Data Loading Without Validation

The data-io.md reference documents reading spatial data directly from arbitrary URLs (HTTP/HTTPS, S3, Azure Blob) without any input validation or allowlist guidance. If a user passes an attacker-controlled URL to gpd.read_file(), it could be used to exfiltrate data or load malicious content.
File: references/data-io.md
Remediation: Add documentation guidance to validate and allowlist URLs before passing them to read_file(). Warn users about the risks of loading data from untrusted remote sources.



get-available-resources — 🔵 LOW



🔵 LOW LLM_DATA_EXFILTRATION — Missing allowed-tools Declaration

The skill does not declare an allowed-tools field in its YAML manifest. While this field is optional, its absence means there are no declared restrictions on what tools the agent can use when executing this skill. The skill uses Bash subprocess calls and writes files, so declaring allowed-tools: [Python, Bash] would improve transparency and auditability.
File: SKILL.md
Remediation: Add allowed-tools: [Python, Bash] to the YAML frontmatter to explicitly document the tools required by this skill.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Activation Trigger in Skill Description

The skill description instructs the agent to use it 'at the start of ANY computationally intensive scientific task' and lists a wide range of trigger scenarios. This broad activation language could cause the skill to be invoked more frequently than necessary, increasing the attack surface and resource consumption. The description also lists many specific library names (joblib, multiprocessing, Dask, Zarr, PyTorch, JAX) as trigger keywords, which could lead to over-activation.
File: SKILL.md
Remediation: Narrow the activation criteria to specific, well-defined scenarios rather than broad categories. Avoid listing library names as implicit triggers in the description.



🔵 LOW LLM_COMMAND_INJECTION — Subprocess Calls to External System Utilities Without Input Validation

The script invokes external system utilities (nvidia-smi, rocm-smi, sysctl, system_profiler) via subprocess. While the commands themselves are hardcoded and not user-influenced, the output is parsed and incorporated into the JSON output. If any of these utilities were replaced or tampered with (e.g., via PATH manipulation), malicious output could be injected into the resource JSON file, which is subsequently read and acted upon by the agent. The parsing logic for rocm-smi is noted as basic and may need refinement.
File: scripts/detect_resources.py:80
Remediation: Use absolute paths for system utilities where possible (e.g., /usr/bin/nvidia-smi). Validate and sanitize parsed output before including it in the JSON. Consider adding integrity checks or bounds on parsed values.



🔵 LOW LLM_DATA_EXFILTRATION — System Information Disclosure via JSON Output File

The skill collects and writes detailed system information (CPU architecture, memory, disk usage, GPU details including driver versions and compute capabilities) to a .claude_resources.json file in the current working directory. While this is the stated purpose of the skill, the output file could expose sensitive system fingerprinting data if the working directory is shared or version-controlled. The file includes OS version, processor model, and GPU driver details that could aid an attacker in targeting the system.
File: scripts/detect_resources.py:130
Remediation: Document clearly that .claude_resources.json should be added to .gitignore to prevent accidental exposure. Consider adding a warning in the output or README about not committing this file to version control.



🔵 LOW LLM_RESOURCE_ABUSE — Missing Timeout on system_profiler Subprocess Call

The system_profiler SPDisplaysDataType subprocess call uses a 10-second timeout, which is longer than the 5-second timeout used for other subprocess calls. On systems with many displays or complex GPU configurations, this call could block for an extended period. Additionally, if the skill is instructed to 're-run periodically' as recommended in best practices, repeated invocations could accumulate resource usage.
File: scripts/detect_resources.py:175
Remediation: Reduce the timeout to 5 seconds for consistency. Consider adding a flag to skip GPU detection for faster execution when only basic resource info is needed.



gget — 🔵 LOW



🔵 LOW LLM_DATA_EXFILTRATION — OpenAI API Key Passed as Plain Text Argument

The gget gpt module accepts an OpenAI API key directly as a command-line argument or function parameter (api_key='your_key_here'). Passing secrets as CLI arguments exposes them in shell history, process listings (ps aux), and logs. The SKILL.md instructions show this pattern explicitly in examples.
File: SKILL.md
Remediation: Recommend using environment variables (e.g., OPENAI_API_KEY) or a secrets manager instead of passing API keys as direct arguments. Document this risk in the skill instructions.



🔵 LOW LLM_DATA_EXFILTRATION — COSMIC Credentials Passed as Plain Text Arguments

The gget cosmic module accepts email and password credentials as command-line arguments (--email, --password). This exposes credentials in shell history and process listings.
File: SKILL.md
Remediation: Recommend using environment variables or a credentials file with restricted permissions instead of passing credentials as CLI arguments.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Manifest Field

The SKILL.md manifest does not specify the 'allowed-tools' field. The skill executes Python scripts, makes network calls to 20+ external databases, writes files to disk, and can run bash commands. Declaring allowed tools would help constrain the agent's behavior and make capabilities explicit.
File: SKILL.md
Remediation: Add an explicit 'allowed-tools' field to the YAML frontmatter listing the tools actually needed (e.g., Python, Bash, Write) to constrain agent behavior and improve transparency.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation Instructions

The SKILL.md installation instructions use 'uv pip install --upgrade gget' without pinning to a specific version. This means the skill will always install the latest version, which could introduce breaking changes or supply chain risks if the package is compromised. Additionally, the AlphaFold setup downloads ~4GB of model parameters from an unspecified source.
File: SKILL.md
Remediation: Pin gget to a specific known-good version (e.g., 'uv pip install gget==0.28.6'). Document the source and integrity verification method for AlphaFold model parameters.



🔵 LOW LLM_RESOURCE_ABUSE — Computationally Intensive Operations Without Resource Limits

The skill enables AlphaFold structure prediction and batch sequence analysis without resource limits or warnings about compute consumption. AlphaFold predictions are described as 'computationally intensive' and the batch script iterates over all sequences in a FASTA file without any size limit. The enrichment pipeline also iterates over databases and expression queries without bounding the number of API calls.
File: scripts/batch_sequence_analysis.py:47
Remediation: Add a maximum sequence count limit with a user-configurable override. Warn users before initiating large batch operations. Add rate limiting between API calls to avoid overwhelming external services.



ginkgo-cloud-lab — 🔵 LOW



🔵 LOW LLM_DATA_EXFILTRATION — Missing License and Compatibility Metadata

The SKILL.md manifest does not specify a license or compatibility field. While these are optional fields, their absence means users cannot determine the terms under which the skill is distributed or which platforms it is certified to run on. This is an informational/documentation gap rather than an active security threat.
File: SKILL.md
Remediation: Add a license field (e.g., 'license: MIT') and a compatibility field describing supported platforms to the YAML frontmatter.



🔵 LOW LLM_PROMPT_INJECTION — Skill References External URLs That Could Serve Malicious Content

The skill instructions reference the external domain https://cloud.ginkgo.bio for protocol ordering and the EstiMate AI agent. If the agent were to fetch content from these URLs and treat it as trusted instructions, indirect prompt injection could occur. However, the skill instructions do not explicitly direct the agent to fetch or execute content from these URLs — they are presented as navigation targets for the human user. The risk is low but present if the agent autonomously browses these URLs.
File: SKILL.md
Remediation: Clarify in the skill instructions that the agent should not autonomously fetch or parse content from external URLs. Instructions should direct the human user to navigate to these URLs rather than having the agent retrieve and process their content.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Declaration

The skill does not declare an allowed-tools field in its YAML manifest. While this field is optional per the agent skills spec, its absence means there are no declared restrictions on which agent tools this skill may invoke. Given the skill interacts with external URLs and references multiple files, declaring allowed-tools would improve transparency and reduce the attack surface.
File: SKILL.md
Remediation: Add an explicit allowed-tools field to the YAML frontmatter listing only the tools this skill requires (e.g., [Read] since it only reads internal reference files and provides instructions).



🔵 LOW LLM_COMMAND_INJECTION — Static Analyzer Flagged Python eval/exec Patterns in Markdown Code Blocks

The pre-scan static analyzer reported two instances of Python code blocks containing eval/exec patterns (MDBLOCK_PYTHON_EVAL_EXEC). However, reviewing all provided file content, no Python code blocks with eval or exec were found in the visible content. The referenced template and asset files (templates/.md, assets/.md) were not found/provided. It is possible these patterns exist in the missing referenced files. This warrants attention but cannot be confirmed from available content.
File: references/cell-free-protein-expression-optimization.md
Remediation: Provide and review the missing template and asset files for any eval/exec usage. If Python code blocks exist in those files, ensure they do not use eval/exec with user-controlled input. Replace eval/exec patterns with safe alternatives.



glycoengineering — 🔵 LOW



🔵 LOW LLM_COMMAND_INJECTION — Python Code Blocks Use eval/exec (Static Analyzer Flag - False Positive Likely)

The static pre-scan flagged two instances of eval/exec usage in Python code blocks within SKILL.md. Upon manual review of the instruction body, no actual eval() or exec() calls are present in the visible code. The code blocks contain standard Python (re, requests, list comprehensions, assert statements). This appears to be a false positive from the static analyzer, possibly triggered by the word 'exec' appearing in a comment or string context, or in the bash snippet ('glycoshield' CLI invocation). No genuine eval/exec injection risk is identified in the reviewed code.
File: SKILL.md
Remediation: Verify the exact lines flagged by the static analyzer. If eval/exec is present in unreferenced or hidden code blocks, remove or replace with safer alternatives. If this is a false positive, no action needed.



🔵 LOW LLM_DATA_EXFILTRATION — Unauthenticated External API Call to GlyConnect

The skill includes a Python function query_glyconnect() that makes an unauthenticated GET request to the GlyConnect ExPASy API (https://glyconnect.expasy.org/api/proteins/uniprot/{uniprot_id}). While this is a legitimate public bioinformatics database, the function accepts a user-supplied uniprot_id parameter that is interpolated directly into the URL without validation. A malicious user could supply a crafted string to manipulate the URL path (path traversal in URL), though the risk is limited given it is a GET request to a public API.
File: SKILL.md
Remediation: Validate the uniprot_id parameter against a strict regex pattern (e.g., ^[A-Z0-9]{6,10}$) before interpolating into the URL. This prevents URL path manipulation.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing License and Compatibility Metadata

The skill manifest does not specify a license (listed as 'Unknown') or compatibility information. While allowed-tools is optional per spec, the absence of license information is a governance concern for a skill that references external tools and databases (NetOGlyc, GlycoShield, GlycoWorkbench, GlyConnect). Users may inadvertently use the skill in contexts that violate the licenses of the referenced tools.
File: SKILL.md
Remediation: Add a valid SPDX license identifier to the manifest. Document compatibility constraints, especially noting that some referenced tools (NetOGlyc, GlycoWorkbench) may have academic-only or non-commercial licenses.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned pip Dependency in Bash Code Block

The bash installation snippet for GlycoShield-MD uses pip install glycoshield without a pinned version. This exposes the skill to supply chain risks if the glycoshield package on PyPI is compromised or if a typosquatted package is installed. The package originates from a GitLab repository (gitlab.mpcdf.mpg.de) which is a less-common provenance path.
File: SKILL.md
Remediation: Pin the package version (e.g., pip install glycoshield==<version&g
436E
t;) and verify the package hash. Consider directing users to install directly from the verified GitLab source with a specific commit hash rather than PyPI.



gtars — 🔵 LOW



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing License and Compatibility Metadata

The skill manifest does not specify a license or compatibility field. The license is listed as 'Unknown' and compatibility is 'Not specified'. This reduces transparency about the skill's provenance and intended operating environment, which could lead to misuse or deployment in unsupported contexts.
File: SKILL.md
Remediation: Add explicit license and compatibility fields to the SKILL.md YAML frontmatter to improve transparency and trust.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation Without Version Constraints

The skill instructs installation of the 'gtars' package via 'uv pip install gtars' and 'cargo install gtars-cli' without specifying pinned versions. This means any future malicious or compromised version of the package could be installed automatically, creating a supply chain risk. There are no version pins, hash verification, or integrity checks specified.
File: SKILL.md
Remediation: Pin exact package versions (e.g., 'uv pip install gtars==0.3.2') and use hash verification where possible. For Cargo, use a Cargo.lock file and specify exact versions. Consider using a private package mirror or verifying package integrity before installation.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Multiple Referenced Files Not Found in Skill Package

Numerous files referenced in the skill instructions are not present in the skill package (e.g., assets/overlap.md, assets/python-api.md, templates/tokenizers.md, templates/cli.md, gtars.py, assets/tokenizers.md, templates/overlap.md, templates/coverage.md, assets/refget.md, templates/python-api.md, templates/refget.md, assets/cli.md, assets/coverage.md). This could indicate an incomplete package, or that the skill relies on external or dynamically fetched resources not bundled with the skill, creating potential for supply chain or indirect injection risks if those files are later populated with malicious content.
File: SKILL.md
Remediation: Ensure all referenced files are bundled within the skill package. Remove references to non-existent files or document their expected source. Avoid relying on files that may be populated from external or untrusted sources.



hypogenic — 🔵 LOW



🔵 LOW LLM_COMMAND_INJECTION — Python eval/exec Usage in Code Examples

Static analysis flagged two instances of eval/exec usage in Python code blocks within the SKILL.md instructions. While these appear to be illustrative code examples (e.g., lambda functions passed as extract_label callbacks), eval/exec patterns in agent-executed code can enable arbitrary code execution if user-controlled input is passed to these constructs. The skill instructs users to implement custom extract_label functions using lambdas and dynamic parsing, which could be misused if the agent executes user-supplied code strings.
File: SKILL.md
Remediation: Review the actual hypogenic package source to confirm eval/exec usage context. If the skill is generating or executing user-supplied Python code strings, add explicit warnings that user-provided extract_label functions should be reviewed before execution. Avoid passing unsanitized user input to eval/exec constructs.



🔵 LOW LLM_PROMPT_INJECTION — Indirect Prompt Injection Risk via External Dataset Content

The skill processes external dataset content (text_features_1 through text_features_n) and injects these values directly into LLM prompt templates using placeholder substitution (e.g., ${text_features_1}). If datasets contain adversarially crafted text designed to manipulate the LLM's hypothesis generation or inference behavior, this constitutes an indirect prompt injection vector. The skill's use case (deception detection, AI-generated content analysis) makes it particularly likely to process adversarial text samples.
File: SKILL.md
Remediation: Implement input sanitization or prompt hardening when injecting dataset content into LLM prompts. Use clear delimiters (e.g., XML tags) to separate data content from instructions. Consider adding a warning that dataset text features should be treated as untrusted content within prompts.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation via uv pip install

The skill instructs users to install the 'hypogenic' package without a pinned version (e.g., 'uv pip install hypogenic'). Unpinned package installations are vulnerable to supply chain attacks where a malicious version could be published to PyPI and automatically installed. This is particularly relevant for a package that interfaces with LLM APIs and processes research data.
File: SKILL.md
Remediation: Pin the package to a specific known-good version (e.g., 'uv pip install hypogenic==X.Y.Z'). Document the expected version in the skill manifest and provide a hash verification step for security-sensitive deployments.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — External Git Repository Cloning Without Integrity Verification

The skill instructs cloning external GitHub repositories (ChicagoHAI/HypoGeniC-datasets and ChicagoHAI/Hypothesis-agent-datasets) without specifying commit hashes, tags, or integrity verification. If these repositories are compromised or contain malicious data/configuration files, the agent would process them without validation. Dataset files could also contain indirect prompt injection payloads in text features.
File: SKILL.md
Remediation: Pin cloned repositories to specific commit hashes or signed tags. Validate dataset integrity with checksums before use. Treat cloned dataset content as untrusted input, especially text features that will be passed to LLM prompts.



🔵 LOW LLM_DATA_EXFILTRATION — API Key Exposure via Environment Variable Configuration

The configuration template references API keys via environment variables (e.g., OPENAI_API_KEY) and the model configuration includes an 'api_key_env' field. While using environment variables is better than hardcoding, the config template could encourage users to inadvertently store API keys in config.yaml files that get committed to version control or included in hypothesis output files.
File: references/config_template.yaml:14
Remediation: Add explicit warnings in the configuration template that API keys must never be hardcoded in config.yaml. Recommend .gitignore patterns for config files containing sensitive paths and document secure credential management practices.



iso-13485-certification — 🔵 LOW



🔵 LOW LLM_DATA_EXFILTRATION — Missing allowed-tools Declaration

The skill does not declare an allowed-tools field in the YAML manifest. The skill executes Python scripts (gap_analyzer.py) that perform file system traversal using rglob() across user-provided directories. Without an explicit allowed-tools declaration, there is no manifest-level constraint on what tools the agent may use, reducing transparency about the skill's actual capabilities.
File: SKILL.md
Remediation: Add an explicit allowed-tools field to the YAML manifest listing the tools actually used, e.g., allowed-tools: [Python, Bash, Read, Write].



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Capability Description with Keyword Baiting

The skill description is unusually broad and contains an extensive list of trigger keywords including 'medical device regulations, QMS certification, FDA QMSR, EU MDR' and multiple numbered use cases. While this is a legitimate documentation skill, the description is crafted to maximize activation across a wide range of regulatory and compliance queries, which could lead to the skill being invoked in contexts where it may not be the most appropriate tool.
File: SKILL.md
Remediation: Narrow the description to the core functionality. Avoid listing extensive trigger keywords that could cause over-broad activation.



latchbio-integration — 🔵 LOW



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing License and Compatibility Metadata

The skill manifest does not specify a license (listed as 'Unknown') or compatibility information. While allowed-tools is optional, the missing license is notable for a skill attributed to 'K-Dense Inc.' that integrates with an external commercial platform. This reduces transparency about usage rights and intended deployment contexts.
File: SKILL.md
Remediation: Add a valid SPDX license identifier (e.g., MIT, Apache-2.0) and specify compatibility information in the YAML frontmatter. Add allowed-tools to clarify what agent capabilities are expected.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Multiple Referenced Files Not Found in Package

The skill references numerous files in its instructions that do not exist in the package: assets/verified-workflows.md, templates/data-management.md, assets/resource-configuration.md, templates/verified-workflows.md, assets/data-management.md, assets/workflow-creation.md, latch.py, templates/resource-configuration.md, templates/workflow-creation.md. This creates an incomplete skill package where the agent may attempt to read non-existent files or behave unpredictably when following instructions that reference missing resources.
File: SKILL.md
Remediation: Ensure all referenced files are included in the skill package before distribution. Remove references to files that do not exist, or add placeholder files with appropriate content.



market-research-reports — 🔵 LOW



🔵 LOW LLM_RESOURCE_ABUSE — Unbounded Visual Generation Loop - Potential Compute Exhaustion

The SKILL.md instructions mandate generating 5-6 core visuals at the start of every report, plus additional visuals 'as needed during writing' across 11 chapters with 25-30 total visuals recommended. The batch script can generate up to 27+ visuals per report run. While not an infinite loop, the instructions encourage generating large numbers of images without user confirmation, which could exhaust compute resources (image generation API calls, disk space, processing time) especially when combined with the '--all' flag generating all 27 extended visuals.
File: SKILL.md
Remediation: Add explicit user confirmation before batch generating large numbers of visuals. Implement a hard cap on the number of visuals generated per session. Require the '--all' flag to prompt a warning about resource consumption.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Capability Claims in Description

The skill description claims to generate reports 'in the style of top consulting firms (McKinsey, BCG, Gartner)' and produce '50+ page' documents that 'rival top consulting firm deliverables.' These are marketing-style capability inflation claims that may cause the agent to over-activate this skill for general research or writing tasks, and may set unrealist
C852
ic expectations. The description also lists an extensive set of trigger scenarios (investment decisions, M&A due diligence, go-to-market strategy, etc.) that could cause broad activation.
File: SKILL.md
Remediation: Scope the description to accurately reflect what the skill does without brand impersonation or inflated quality claims. Narrow the trigger scenarios to avoid over-broad activation.



🔵 LOW LLM_UNAUTHORIZED_TOOL_USE — Missing allowed-tools Restriction for Python Execution

The skill declares 'allowed-tools: Read Write Edit Bash' but the workflow extensively uses Python script execution (generate_market_visuals.py, research_lookup.py, generate_schematic.py, generate_image.py). The allowed-tools list omits 'Python' despite Python being a core execution mechanism. This is a minor inconsistency between declared tool restrictions and actual behavior, though Bash can invoke Python scripts.
File: SKILL.md
Remediation: Add 'Python' to the allowed-tools list to accurately reflect the skill's tool usage, or document that Python scripts are invoked via Bash.



⚪ INFO LLM_CONTEXT_BUDGET_EXCEEDED — 'assets/market_report_template.tex' excluded from LLM analysis (50,210 chars)

file size (50,210 chars) exceeds per-file limit (50,000)
File: assets/market_report_template.tex
Remediation: Increase llm_analysis.max_referenced_file_chars in your scan policy to include this content in LLM analysis.



🔵 LOW LLM_DATA_EXFILTRATION — Static Analysis Flags - Unverified Cross-File Exfiltration Chain Signal

The pre-scan static analyzer flagged BEHAVIOR_ENV_VAR_EXFILTRATION, BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN, and BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION across 3 files. Manual review of the provided generate_market_visuals.py script shows no direct environment variable harvesting or network exfiltration. The script only calls other skill scripts (scientific-schematics, generate-image, research-lookup) via subprocess. However, those dependent skills (not provided for review) may contain the flagged behavior. The cross-file chain signal suggests the exfiltration path may run through research-lookup or generate-image scripts.
File: scripts/generate_market_visuals.py
Remediation: Audit the dependent skills (scientific-schematics, generate-image, research-lookup) for environment variable access and network calls. Ensure those skills do not exfiltrate data to external servers. The static analyzer flags warrant investigation of the full dependency chain.



matchms — 🔵 LOW



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Manifest Field

The SKILL.md YAML frontmatter does not specify the 'allowed-tools' field. While this field is optional per the agent skills spec, its absence means there are no declared restrictions on which agent tools this skill may invoke, reducing transparency about the skill's intended scope.
File: SKILL.md
Remediation: Add an explicit 'allowed-tools' field to the YAML frontmatter listing only the tools required for this skill's legitimate functionality (e.g., Python, Read, Write).



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Missing Version Pin for Package Installation

The SKILL.md instructs installation of 'matchms' and 'matchms[chemistry]' via 'uv pip install matchms' without pinning a specific version. Unpinned package installations are vulnerable to supply chain attacks where a malicious version could be published and automatically installed.
File: SKILL.md
Remediation: Pin the package to a specific known-good version, e.g., 'uv pip install matchms==0.24.0'. Verify the package hash if possible.



matlab — 🔵 LOW


🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Specification

The SKILL.md manifest does not specify an 'allowed-tools' field. While this is optional per the agent skills spec, documenting which tools are permitted improves transparency and security posture for users deploying this skill.
File: SKILL.md
Remediation: Add an explicit 'allowed-tools' field to the YAML frontmatter listing the tools this skill requires, such as [Bash, Python] if script execution is intended.



matplotlib — 🔵 LOW


🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Metadata

The skill manifest does not specify the 'allowed-tools' field. While this is optional per the agent skills spec, documenting which tools are used (Python execution, file writes) would improve transparency and allow agents to make better activation decisions.
File: SKILL.md
Remediation: Add 'allowed-tools: [Python, Bash]' to the YAML frontmatter to explicitly declare the tools this skill uses.



medchem — 🔵 LOW


🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools and compatibility metadata

The SKILL.md manifest does not specify 'allowed-tools' or 'compatibility' fields. While these are optional per the agent skills spec, their absence means there are no declared restrictions on what tools the agent may use when executing this skill. The skill executes Python code, reads files, and writes output files, so documenting these capabilities would improve transparency.
File: SKILL.md
Remediation: Add 'allowed-tools: [Python, Bash]' and a 'compatibility' field to the YAML frontmatter to document the skill's tool requirements and supported environments.



molecular-dynamics — 🔵 LOW



🔵 LOW LLM_COMMAND_INJECTION — Python eval/exec Usage Flagged by Static Analyzer

The static pre-scan flagged a MDBLOCK_PYTHON_EVAL_EXEC finding in the skill's Python code blocks. Upon manual review of the SKILL.md instruction body, no direct use of eval() or exec() with user-controlled input is visible in the provided code snippets. The flag may be a false positive from the static analyzer detecting patterns in the embedded code examples. However, the code does use dynamic platform selection and simulation configuration that could be influenced by user-supplied parameters (e.g., pdb_file paths, selection strings). The MDAnalysis atom selection strings (e.g., 'backbone', 'resname LIG') are passed directly to MDAnalysis's select_atoms() method, which has its own query language and could potentially be abused if user input is passed unsanitized.
File: SKILL.md
Remediation: Validate and sanitize atom selection strings before passing to select_atoms(). Consider whitelisting known-safe selection patterns or wrapping calls in try/except to prevent unexpected behavior from malformed input. Clarify the static analyzer finding to confirm whether eval/exec is present in unreported code.



🔵 LOW LLM_DATA_EXFILTRATION — Referenced Script Files Not Found in Package

The skill references five Python module files (MDAnalysis.py, pdbfixer.py, matplotlib.py, openff.py, openmm.py) that are not present in the skill package. These appear to be references to standard library/package names rather than actual bundled scripts, but their absence means the skill's behavior cannot be fully audited. If these were intended to be custom scripts, their absence creates an incomplete security picture.
File: SKILL.md
Remediation: Clarify whether these are references to installed packages (in which case the references should be removed from the file manifest) or intended bundled scripts (in which case they should be included). Ensure all bundled scripts are present and auditable.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools and Compatibility Metadata

The skill does not specify the 'allowed-tools' or 'compatibility' fields in its YAML manifest. While these fields are optional per the agent skills specification, their absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) this skill may use. Given that the skill involves running simulations, writing trajectory files, and executing Python code, explicit tool declarations would improve transparency and security posture.
File: SKILL.md
Remediation: Add explicit 'allowed-tools' and 'compatibility' fields to the YAML frontmatter to clearly declare the intended tool usage scope. For example: allowed-tools: [Python, Bash, Read, Write]



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Dependencies

The skill instructs installation of several packages (openmm, mdanalysis, nglview, openff-toolkit, pdbfixer) without specifying version pins. Unpinned dependencies are vulnerable to supply chain attacks where a malicious version of a package could be installed, potentially compromising the simulation environment. This is particularly relevant for scientific computing packages that may have complex dependency trees.
File: SKILL.md
Remediation: Pin all dependencies to specific known-good versions (e.g., pip install openmm==8.1.0 mdanalysis==2.7.0). Consider providing a requirements.txt or conda environment.yml with pinned versions and checksums where possible.



molfeat — 🔵 LOW



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation Instructions

The skill's installation instructions use unpinned package versions (e.g., 'uv pip install molfeat', 'pip install molfeat[all]'). Without version pinning, the installed packages could be updated to malicious versions if the PyPI package is compromised or if a typosquatting attack occurs. This is a supply chain risk for any environment that follows these instructions.
File: SKILL.md
Remediation: Pin package versions in installation instructions (e.g., 'uv pip install molfeat==0.x.y'). Document the tested/verified version. Consider using a requirements.txt or lockfile for reproducible environments.



🔵 LOW LLM_COMMAND_INJECTION — Python eval/exec Usage in Code Examples

The static analyzer flagged a potential eval/exec usage in the Python code blocks within the skill's markdown files. Reviewing the content, the code examples in references/examples.md and references/api_reference.md do not contain explicit eval() or exec() calls. The flag may be a false positive from pattern matching on code blocks. However, the skill instructs the agent to execute Python code from these examples, and if any user-supplied SMILES strings or model names are passed unsanitized into dynamic execution contexts, there could be injection risk. No direct eval/exec was found in the reviewed content.
File: references/examples.md
Remediation: Verify the exact line flagged by the static analyzer. Ensure that user-supplied inputs (SMILES strings, model names) are never passed to eval() or exec() in any generated or executed code. Validate and sanitize all user inputs before use in code execution contexts.



🔵 LOW LLM_DATA_EXFILTRATION — Pickle Deserialization of Cached Embeddings

The skill's examples demonstrate caching embeddings using Python's pickle module (pickle.load/pickle.dump). Pickle deserialization of untrusted files is a known arbitrary code execution vector. If a user or attacker can control the cache file path or contents (e.g., embeddings_cache.pkl), loading it with pickle.load() could execute arbitrary code. While this is in example code rather than a deployed script, the agent may generate and execute such code based on these instructions.
File: references/examples.md
Remediation: Replace pickle with a safer serialization format such as numpy's .npy/.npz format or joblib with integrity checks. If pickle must be used, ensure cache files are stored in trusted locations with appropriate file permissions and integrity verification (e.g., HMAC signatures).



networkx — 🔵 LOW



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Manifest Field

The SKILL.md manifest does not specify the 'allowed-tools' field. While this field is optional per the agent skills specification, its absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) this skill may invoke. Given the skill's broad scope (file I/O, database access, network visualization, shell commands for package installation), declaring allowed tools would improve transparency and reduce the attack surface.
File: SKILL.md
Remediation: Add an explicit 'allowed-tools' field to the YAML frontmatter listing the tools this skill legitimately requires, such as [Python, Bash, Read, Write]. This improves auditability and limits unintended tool usage.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation Instructions

The SKILL.md instructions include package installation commands without version pinning. The commands 'uv pip install networkx' and 'uv pip install networkx[default]' do not specify exact versions, which could allow supply chain attacks if the networkx package on PyPI were compromised or if a typosquatted package were installed.
File: SKILL.md
Remediation: Pin the networkx version explicitly (e.g., 'uv pip install networkx==3.3') and consider verifying package integrity via hash checking. Document the expected version in the skill manifest.



🔵 LOW LLM_COMMAND_INJECTION — Python eval/exec Usage in Code Examples

The static analyzer flagged a potential eval/exec usage in a Python code block within the skill's documentation. After reviewing all referenced files, the code examples in references/algorithms.md, references/io.md, references/generators.md, references/visualization.md, and references/graph-basics.md do not contain explicit eval() or exec() calls. The flagged pattern may be a false positive from the static scanner detecting the word 'exec' in comments or variable names (e.g., 'exec' in 'execute'). No actual dangerous eval/exec usage was found in the reviewed content. This is noted as LOW severity for awareness.
File: references/algorithms.md
Remediation: Review the full set of referenced files (particularly those not found: assets/generators.md, assets/algorithms.md, networkx.py, matplotlib.py) to confirm no eval/exec usage exists. Ensure any code examples added in the future avoid dynamic code execution patterns.



🔵 LOW LLM_DATA_EXFILTRATION — Pickle Deserialization Risk in I/O Documentation

The references/io.md file documents the use of Python's pickle module for graph serialization/deserialization (nx.write_gpickle, nx.read_gpickle, pickle.load). Pickle deserialization of untrusted data is a well-known arbitrary code execution vector. While this is presented as documentation/examples rather than executable skill code, an agent following these instructions could load malicious pickle files provided by users without warning about the security risk.
File: references/io.md
Remediation: Add explicit security warnings in the documentation noting that pickle files from untrusted sources should never be loaded, as they can execute arbitrary code during deserialization. Recommend safer alternatives (GraphML, JSON) for untrusted data sources.



neurokit2 — 🔵 LOW



🔵 LOW LLM_COMMAND_INJECTION — Python eval/exec Usage in Code Examples

The static analyzer flagged a potential eval/exec usage in the Python code blocks within the skill's reference documentation. After reviewing all referenced files, the code blocks contain standard NeuroKit2 API calls (e.g., nk.ecg_process(), nk.hrv(), etc.) and do not contain actual eval() or exec() calls. The flag appears to be a false positive from pattern matching on code block content. No actual command injection risk was identified in the skill's code examples.
File: SKILL.md
Remediation: No action required. The code examples use standard library function calls and do not employ dynamic code execution patterns.



🔵 LOW LLM_DATA_EXFILTRATION — Missing allowed-tools Declaration

The skill does not declare an 'allowed-tools' field in its YAML manifest. While this field is optional per the agent skills specification, its absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) can be used. Given that this skill processes sensitive physiological/medical data, explicit tool restrictions would improve the security posture.
File: SKILL.md
Remediation: Add an explicit 'allowed-tools' declaration to the YAML manifest. For a data analysis skill like this, consider restricting to [Python, Read] if no file writing is needed, or document the intended tool set clearly.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Skill Description May Trigger Excessive Activation

The skill description is extremely comprehensive, listing a very large number of signal types, analysis domains, and application areas. While this accurately reflects the NeuroKit2 library's capabilities, the extensive keyword coverage (ECG, EEG, EDA, RSP, PPG, EMG, EOG, HRV, entropy, fractal dimensions, etc.) could cause the skill to be activated for a very wide range of physiological data queries, potentially beyond what the user intends.
File: SKILL.md
Remediation: Consider scoping the description to the most common use cases to reduce unnecessary activation. This is a minor concern as the description accurately reflects the library's capabilities.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation

The installation instructions use 'uv pip install neurokit2' without specifying a version pin. Additionally, a development version install directly from GitHub is provided without any integrity verification. Unpinned installations are susceptible to supply chain attacks if the package is compromised or a malicious version is published.
File: SKILL.md
Remediation: Pin the package to a specific known-good version (e.g., 'uv pip install neurokit2==0.2.7'). Avoid recommending direct GitHub zipball installs for production use. If the dev version is needed, specify a commit hash rather than the 'dev' branch tip.



neuropixels-analysis — 🔵 LOW



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Keyword Activation in Description

The skill description contains an extensive list of trigger keywords designed to maximize activation: 'neural recordings, spike sorting, extracellular electrophysiology, or when the user mentions Neuropixels, SpikeGLX, Open Ephys, Kilosort, quality metrics, or unit curation.' While these are legitimate domain terms, the explicit enumeration of activation triggers in the description is a mild form of keyword baiting that could cause the skill to activate more broadly than necessary.
File: SKILL.md
Remediation: Simplify the description to describe what the skill does rather than explicitly listing activation keywords. A concise description like 'Neuropixels neural recording analysis toolkit supporting SpikeGLX/OpenEphys data loading, preprocessing, spike sorting, and quality metrics' is sufficient.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Dependencies in Installation Instructions

The SKILL.md installation section uses unpinned pip install commands for multiple packages including spikeinterface, kilosort, spykingcircus, mountainsort5, anthropic, ibl-neuropixel, and ibllib. Unpinned dependencies are vulnerable to supply chain attacks where a malicious version of a package could be published and automatically installed.
File: SKILL.md
Remediation: Pin all dependencies to specific versions (e.g., 'pip install spikeinterface==0.101.0'). Consider providing a requirements.txt or environment.yml with pinned versions and hash verification for critical packages.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned neuropixels-analysis Package with No Provenance

The skill installs 'pip install neuropixels-analysis' which is the skill's own toolkit package, but there is no version pin, no hash verification, and limited provenance information (only 'K-Dense Inc.' as author). This package is central to the skill's operation and could be a typosquatting target or subject to supply chain compromise.
File: SKILL.md
Remediation: Pin the neuropixels-analysis package to a specific version. Provide a PyPI link, GitHub repository URL, or checksum for verification. Consider bundling the core functionality directly in the skill package rather than relying on an external package.



🔵 LOW LLM_DATA_EXFILTRATION — API Key Exposure Risk in AI Curation Examples

The references/AI_CURATION.md file contains example code showing API keys being passed directly: 'client = Anthropic(api_key="your-api-key")' and 'client = OpenAI(api_key="your-api-key")'. While these are placeholder examples, they normalize the pattern of hardcoding API keys in scripts rather than using environment variables, which could lead users to expose credentials.
File: references/AI_CURATION.md
Remediation: Replace hardcoded API key examples with environment variable patterns: 'client = Anthropic()  # Uses ANTHROPIC_API_KEY env var' or 'import os; client = Anthropic(api_key=os.environ["ANTHROPIC_API_KEY"])'. Add a note warning against hardcoding credentials.



🔵 LOW LLM_RESOURCE_ABUSE — Unbounded Parallel Job Usage with n_jobs=-1

Multiple scripts use n_jobs=-1 as the default parameter for parallel processing, which instructs the system to use all available CPU cores. In scripts like preprocess_recording.py, compute_metrics.py, run_sorting.py, and the analysis template, this default could exhaust system resources when processing large Neuropixels recordings (384 channels, potentially hours of data).
File: scripts/preprocess_recording.py
Remediation: Consider defaulting to a more conservative value (e.g., n_jobs=4 or n_jobs=8) and documenting the resource implications. Add warnings when n_jobs=-1 is used on systems with many cores. The current behavior is legitimate for scientific computing but should be documented clearly.



omero-integration — 🔵 LOW



🔵 LOW LLM_DATA_EXFILTRATION — Multiple Referenced Files Not Found

The skill references numerous files that were not found during analysis: omero.py, assets/connection.md, assets/data_access.md, assets/metadata.md, assets/scripts.md, assets/rois.md, assets/tables.md, assets/advanced.md, assets/image_processing.md, and all templates/*.md files. The omero.py file in particular could contain executable Python code with unknown behavior. These missing files cannot be audited for security issues.
File: SKILL.md
Remediation: Ensure all referenced files are included in the skill package and audited before deployment. The omero.py file is of particular concern as it may contain executable code. Remove references to files that do not exist in the package.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing License Information

The skill manifest declares an unknown license. For a skill that connects to external servers, handles credentials, and performs batch data operations on microscopy data, the absence of a clear license creates ambiguity about the skill's provenance and trustworthiness.
File: SKILL.md
Remediation: Add a valid SPDX license identifier (e.g., MIT, Apache-2.0) to the skill manifest. Also add compatibility information to clarify which environments the skill is designed for.



🔵 LOW LLM_UNAUTHORIZED_TOOL_USE — Missing allowed-tools Declaration

The skill manifest does not declare an allowed-tools field. While this is optional per the agent skills spec, the skill instructs the agent to execute Python code (OMERO API calls, batch processing, file downloads, network connections to OMERO servers). Declaring allowed-tools would help constrain the agent's tool usage to only what is necessary for OMERO operations.
File: SKILL.md
Remediation: Add an explicit allowed-tools declaration to the SKILL.md manifest, e.g., allowed-tools: [Python, Bash] to document the expected tool usage scope.



🔵 LOW LLM_DATA_EXFILTRATION — Hardcoded Credentials in Code Examples

Multiple reference files contain hardcoded credential examples (USERNAME = 'user', PASSWORD = 'pass', HOST = 'omero.example.com'). While these are clearly illustrative examples in documentation, the connection.md file explicitly recommends using environment variables as a best practice (Pattern 3), but the primary examples shown throughout all reference files use hardcoded strings. Users following the examples literally may embed real credentials in scripts.
File: references/connection.md
Remediation: Ensure all primary code examples prominently use environment variables or configuration files for credentials. The environment variable pattern (Pattern 3 in connection.md) should be the first/primary example shown, not a secondary option.



🔵 LOW LLM_COMMAND_INJECTION — Python eval/exec Usage in Code Examples

The static analyzer flagged a potential eval/exec usage in the Python code blocks within the referenced markdown files. After reviewing all available content, the code examples in the reference files (scripts, rois, tables, image_processing, metadata, connection, data_access, advanced) do not contain explicit eval() or exec() calls with user-controlled input. The code examples use standard OMERO API calls. However, the flagged pattern warrants noting as a low-severity informational finding since several referenced files (omero.py, assets/.md, templates/.md) were not found and could not be inspected.
File: references/scripts.md
Remediation: Ensure all referenced files (omero.py, assets/connection.md, assets/data_access.md, assets/metadata.md, assets/scripts.md, assets/rois.md, assets/tables.md, assets/advanced.md, assets/image_processing.md, templates/*.md) are reviewed for eval/exec usage with user-controlled input before deployment.



opentrons-integration — 🔵 LOW



🔵 LOW LLM_DATA_EXFILTRATION — Missing License and Compatibility Metadata

The skill manifest does not specify a license or compatibility field. While these are optional fields, their absence reduces transparency about the skill's intended deployment context and legal usage terms. The skill-author is listed as 'K-Dense Inc.' but no license is provided.
File: SKILL.md
Remediation: Add a license field (e.g., 'MIT', 'Apache-2.0') and a compatibility field specifying supported platforms (e.g., 'Claude.ai, Claude Code, API') to the YAML frontmatter.



🔵 LOW LLM_DATA_EXFILTRATION — Referenced Files Not Found in Package

The SKILL.md references several files that are not present in the skill package: 'opentrons.py', 'assets/api_reference.md', and 'templates/api_reference.md'. Only 'references/api_reference.md' was found. Missing referenced files could cause agent confusion or errors during execution, and in adversarial scenarios could be replaced with malicious content if the paths are later populated.
File: SKILL.md
Remediation: Remove references to non-existent files from SKILL.md, or include the missing files in the skill package. Ensure all referenced internal files are bundled with the skill.



🔵 LOW LLM_UNAUTHORIZED_TOOL_USE — Missing allowed-tools Declaration

The skill does not declare an allowed-tools field in its YAML manifest. While this field is optional, the skill instructs the agent to execute Python scripts and perform hardware control operations. Declaring allowed-tools would provide explicit scope boundaries for the agent's tool usage.
File: SKILL.md
Remediation: Add 'allowed-tools: [Python]' or appropriate tool declarations to the YAML frontmatter to explicitly scope the agent's permitted tool usage.



🔵 LOW LLM_COMMAND_INJECTION — Static Analyzer Flag: eval/exec in Python Code Block

The static pre-scan flagged a Python code block containing eval/exec usage (MDBLOCK_PYTHON_EVAL_EXEC). After manual review of all script files and the SKILL.md instruction body, no actual eval() or exec() calls were found in the provided content. The flag may be a false positive from the static analyzer detecting the string 'exec' within the thermocycler method 'execute_profile()' or similar API method names. No exploitable code injection pattern was identified.
File: scripts/pcr_setup_template.py
Remediation: No immediate action required. Verify the static analyzer rule is not triggering on legitimate API method names like 'execute_profile'. If actual eval/exec calls are added in future versions, ensure they never operate on user-supplied input.



optimize-for-gpu — 🔵 LOW



🔵 LOW LLM_DATA_EXFILTRATION — Missing License and Compatibility Metadata

The skill manifest does not specify a license or compatibility field. While these are optional per the spec, their absence reduces transparency about the skill's provenance and intended deployment environment. The author is listed as 'K-Dense, Inc.' but no license is declared, making it unclear under what terms the skill can be used or redistributed.
File: SKILL.md
Remediation: Add a license field (e.g., 'MIT', 'Apache-2.0') and a compatibility field describing supported environments to improve transparency.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Skill Activation Triggers

The skill description and 'When This Skill Applies' section contain an extremely broad set of activation triggers, including 'Also use when you see CPU-bound Python code (loops, large arrays, ML pipelines, graph analytics, image processing) that would benefit from GPU acceleration, even if not explicitly requested.' This instructs the agent to proactively activate the skill without user request, which could lead to unsolicited code transformation and unexpected behavior. The description also lists dozens of specific technologies and use cases to maximize activation frequency.
File: SKILL.md
Remediation: Remove the 'even if not explicitly requested' clause. Skill activation should be driven by explicit user intent, not proactive agent inference. Narrow the description to core use cases.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Versions in Installation Instructions

All installation instructions use unpinned package versions (e.g., 'uv add cupy-cuda12x', 'uv add warp-lang', 'uv add kvikio-cu12'). Without version pinning, the skill could install different package versions over time, potentially introducing breaking changes or supply chain risks if a package is compromised. This applies to all RAPIDS and NVIDIA packages referenced throughout the skill.
File: SKILL.md
Remediation: Pin package versions in installation instructions (e.g., 'uv add cupy-cuda12x==13.x.x'). At minimum, document the tested version range. Consider adding a requirements file with pinned versions.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Use of Non-Default PyPI Index (pypi.nvidia.com)

Multiple packages are installed from a non-default index (https://pypi.nvidia.com) using --extra-index-url. While this is the legitimate NVIDIA RAPIDS index, using extra index URLs introduces supply chain risk: if the package name exists on both PyPI and the extra index, pip/uv may resolve from either source depending on version availability. This is a known attack vector (dependency confusion).
File: SKILL.md
Remediation: Consider using --index-url (exclusive) instead of --extra-index-url where possible, or use uv's index priority configuration to prefer the NVIDIA index for RAPIDS packages. Document that pypi.nvidia.com is the authoritative source for these packages.



🔵 LOW LLM_UNAUTHORIZED_TOOL_USE — Many Referenced Files Not Found in Package

The skill references a large number of files (cuxfilter.py, templates/cupy.md, assets/cudf.md, cupyx.py, networkx.py, etc.) that are not present in the package. While the core reference files (references/*.md) are present, the absence of many referenced files means the skill's instructions may be incomplete or the package is missing components. This could cause the agent to attempt to read non-existent files, leading to errors or unexpected fallback behavior.
File: SKILL.md
Remediation: Audit all file references in the skill instructions and either include the missing files or remove references to them. Ensure the package is complete before distribution.



paper-lookup — 🔵 LOW



🔵 LOW LLM_DATA_EXFILTRATION — API Keys Loaded from Environment and .env Without Sanitization Guidance

The skill instructions direct the agent to load API keys (NCBI_API_KEY, CORE_API_KEY, S2_API_KEY, OPENALEX_API_KEY) from environment variables and fall back to a .env file in the current working directory. While this is a common pattern, the instructions do not specify any validation, scoping, or sanitization of these values before use. If the .env file is user-controlled or the working directory is untrusted, a malicious .env could inject unexpected values. Additionally, the instructions tell the agent to 'tell the user which key is missing' which could inadvertently disclose which credentials are absent from the environment.
File: SKILL.md
Remediation: Clarify that .env loading should only occur from the skill's own directory, not a user-supplied working directory. Avoid disclosing which specific API keys are absent to the user in detail. Consider noting that key values should not be logged or included in responses.



🔵 LOW LLM_RESOURCE_ABUSE — Unbounded Multi-Database Parallel Querying Without Resource Limits

The skill instructions encourage querying multiple databases in parallel and provide cross-database query patterns that involve hitting 3-5 APIs simultaneously (e.g., 'Crossref + Semantic Scholar + Unpaywall' or 'PubMed + OpenAlex + Semantic Scholar'). There are no explicit limits on the number of parallel requests, pagination depth, or total results fetched. Combined with instructions to 'default to showing the full raw JSON', this could result in very large response payloads and significant compute/network resource consumption, particularly for broad queries.
File: SKILL.md
Remediation: Add explicit guidance on limiting parallel requests (e.g., max 3 concurrent databases), setting reasonable result limits per database (e.g., max 10-25 results per query unless user requests more), and truncating very large JSON responses with a note that more data is available on request.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Skill Activation Description with Keyword Baiting

The skill description in the YAML manifest is unusually verbose and contains extensive keyword baiting designed to maximize activation frequency. It explicitly lists numerous trigger phrases ('Even if the user just says "find papers on X"', 'what's been published about Y', 'look up this DOI') and enumerates all 10 database names as activation keywords. While this may be intentional for discoverability, it inflates the skill's perceived scope and could cause it to activate in contexts where simpler or more targeted tools would be appropriate, potentially leading to unnecessary API calls or resource consumption.
File: SKILL.md
Remediation: Trim the description to a concise, accurate summary of the skill's capabilities. Avoid exhaustive keyword lists and explicit activation directives in the manifest description. Let the agent's natural language understanding determine when to invoke the skill.



🔵 LOW LLM_COMMAND_INJECTION — Python eval/exec Usage in Reference File Code Block

The static analyzer flagged a Python code block in references/openalex.md that uses eval/exec patterns. Specifically, the OpenAlex reference file contains a Python snippet for reconstructing abstracts from an inverted index. While this particular snippet does not itself call eval/exec, the static scanner detected the pattern. The agent is instructed to read these reference files before making API calls, and if the agent were to execute code blocks found in reference files, any eval/exec usage could become a code injection vector. The risk is low given the snippet appears benign, but the pattern warrants documentation.
File: references/openalex.md
Remediation: Verify no eval/exec calls exist in any reference or template files. Ensure the agent is instructed to read reference files for API documentation only, not to execute code blocks found within them. The abstract reconstruction snippet is safe as written but should be reviewed if modified.



🔵 LOW LLM_DATA_EXFILTRATION — Email Address Required as Query Parameter for Unpaywall and Crossref

The skill instructions and reference files require the agent to include a real email address as a query parameter when calling Unpaywall (mandatory) and Crossref (recommended for polite pool). The instructions do not specify where this email should come from, potentially causing the agent to use a user-provided email, a hardcoded placeholder, or to prompt the user. Unpaywall explicitly rejects placeholder emails. This could lead to the agent inadvertently transmitting a user's email address to third-party APIs without explicit consent, or to API failures if a placeholder is used.
File: references/unpaywall.md
Remediation: The skill should document a specific, dedicated contact email for API polite-pool usage (e.g., a service account email), rather than relying on user-provided or dynamically sourced email addresses. This prevents inadvertent PII transmission and ensures consistent API access.



paperzilla — 🔵 LOW



🔵 LOW LLM_DATA_EXFILTRATION — Authentication Credentials Managed via CLI Without Explicit Scope Guidance

The skill instructs the agent to run pz login to authenticate, but provides no guidance on credential scope, token storage location, or expiry. The PZ_API_URL environment variable is also exposed as a configuration mechanism. If the agent operates in a shared or multi-user environment, credentials stored by pz login could be accessible to other processes or users. There is no mention of least-privilege token scopes.
File: SKILL.md
Remediation: Document where credentials are stored (e.g., keychain, config file path), recommend using scoped/read-only tokens where possible, and advise users to review token permissions before authenticating.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Broad Skill Activation Triggers May Cause Unintended Invocation

The skill description and YAML manifest use broad trigger phrases such as 'recent project recommendations', 'canonical paper details', 'markdown-based summaries', 'recommendation feedback', 'feed export', and 'Atom feed URLs'. While not overtly malicious, these wide-ranging activation keywords could cause the skill to be invoked in contexts where it is not appropriate, potentially exposing Paperzilla authentication tokens or project data unintentionally.
File: SKILL.md
Remediation: Narrow the activation description to be more specific about the required context (e.g., require explicit mention of 'Paperzilla' or 'pz') to reduce unintended activation.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unversioned External CLI Installation via Third-Party Package Managers

The skill instructs the agent to install the pz CLI via Homebrew tap (paperzilla-ai/tap/pz) and Scoop bucket (https://github.com/paperzilla-ai/scoop-bucket) without any version pinning or integrity verification. If the third-party tap or bucket repository is compromised, a malicious version of the CLI could be silently installed. There is no checksum, version constraint, or signature verification step specified.
File: SKILL.md
Remediation: Pin to a specific version (e.g., brew install paperzilla-ai/tap/pz@1.2.3) and document expected checksums or signatures. Reference the official release page and advise users to verify the binary before execution.



pdf — 🔵 LOW



🔵 LOW LLM_DATA_EXFILTRATION — Proprietary License Without Clear Terms

The skill declares a proprietary license ('Proprietary. LICENSE.txt has complete terms') but no LICENSE.txt file is present in the analyzed package. This creates ambiguity about usage rights and provenance, and could mask supply chain or redistribution risks.
File: SKILL.md
Remediation: Include the LICENSE.txt file in the skill package, or use a standard open-source license identifier. Ensure the license terms are accessible alongside the skill.



🔵 LOW LLM_DATA_EXFILTRATION — Referenced Files Not Found in Package

The SKILL.md references several files (reference.md, forms.md) for additional instructions, and the static analysis lists pdfplumber.py, pytesseract.py, pypdf.py, pdf2image.py, reportlab.py as referenced but not found. Missing referenced files could indicate incomplete packaging or that the skill relies on external/unvetted content that may be fetched at runtime.
File: SKILL.md
Remediation: Ensure all referenced files (reference.md, forms.md) are included in the skill package. Verify that the referenced .py files are not intended to shadow standard library modules. Do not rely on externally fetched instruction files.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Overly Broad Skill Description May Cause Excessive Activation

The skill description is extremely broad, claiming to handle virtually any PDF-related task. The description explicitly instructs the agent to activate 'whenever the user wants to do anything with PDF files' and 'If the user mentions a .pdf file or asks to produce one, use this skill.' While this may be intentional, it could lead to the skill being invoked in contexts where a more targeted tool would be appropriate, potentially over-collecting or over-processing user data.
File: SKILL.md
Remediation: Narrow the activation criteria to specific, well-defined use cases. Avoid blanket 'use me for anything' language in skill descriptions.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Third-Party Library Dependencies

The skill instructs installation and use of multiple third-party Python libraries (pypdf, pdfplumber, reportlab, pytesseract, pdf2image, pandas, Pillow) without specifying version pins. Unpinned dependencies are vulnerable to supply chain attacks where a malicious version of a package could be installed. The static analyzer also flagged eval/exec usage in Python code blocks, which may originate from these libraries.
File: SKILL.md
Remediation: Pin all dependencies to specific versions (e.g., pypdf==4.x.x, pdfplumber==0.x.x). Consider using a requirements.txt with hashed dependencies. Audit all third-party packages for known vulnerabilities before use.



polars-bio — 🔵 LOW



🔵 LOW LLM_RESOURCE_ABUSE — Unbounded Parallelism Configuration Without Guardrails

The skill instructs users to set DataFusion parallelism to os.cpu_count() without any upper bound or warning about resource consumption. On large machines, this could exhaust system resources when processing large genomic datasets. The skill also enables streaming/out-of-core processing for datasets 'larger than available RAM' without warning about potential disk I/O exhaustion.
File: SKILL.md
Remediation: Add guidance on appropriate parallelism limits and resource monitoring. Suggest capping parallelism (e.g., min(os.cpu_count(), 8)) and noting that full CPU utilization may impact system responsiveness.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Capability Claims in Description

The skill description claims to be a 'faster bioframe alternative' and lists extensive capabilities (cloud-native, streaming, SQL, multiple file formats). While this may be accurate for the polars-bio library, the description functions as marketing copy that could cause the agent to prefer this skill over more appropriate alternatives for simple tasks. The 'faster bioframe alternative' framing is a competitive positioning claim that cannot be verified by the agent.
File: SKILL.md
Remediation: Narrow the description to factual capability statements without comparative marketing claims. Remove 'faster bioframe alternative' from the description field used for skill discovery.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation Instructions

The skill instructs installation of polars-bio without version pinning. This means the agent could install any version of the package, including potentially compromised future versions. The license field points to a GitHub URL rather than specifying a SPDX license identifier, and the skill-author field ('K-Dense Inc.') cannot be verified against the GitHub repository owner (biodatageeks).
File: SKILL.md
Remediation: Pin to a specific version (e.g., pip install polars-bio==0.x.y). Verify that the skill-author matches the actual package maintainer. Use a standard SPDX license identifier instead of a URL.



🔵 LOW LLM_DATA_EXFILTRATION — Cloud Credential Exposure via Environment Variables

The file_io reference documentation explicitly instructs users to configure cloud credentials via environment variables (AWS_ACCESS_KEY_ID, GOOGLE_APPLICATION_CREDENTIALS). While this is standard cloud SDK practice, the skill's instructions normalize reading and passing cloud credentials through the agent's environment without any warning about credential scope or security implications. The skill also supports anonymous cloud access by default (allow_anonymous=True), which could be used to access public buckets containing sensitive data.
File: references/file_io.md
Remediation: Add a security note advising users to use least-privilege credentials, avoid storing credentials in plaintext, and be aware that the agent will have access to any credentials present in the environment when executing cloud I/O operations.



pptx — 🔵 LOW



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Skill Activation Description

The skill description is intentionally crafted to trigger on an extremely wide range of user inputs. It explicitly instructs activation whenever the user mentions 'deck,' 'slides,' 'presentation,' or references any .pptx filename, regardless of context. The phrase 'regardless of what they plan to do with the content afterward' and 'If a .pptx file needs to be opened, created, or touched, use this skill' represe
C852
nts over-broad capability claims designed to maximize activation frequency. While this is a legitimate PPTX skill, the description is engineered for maximum trigger coverage rather than precise capability description.
File: SKILL.md
Remediation: Narrow the description to accurately describe what the skill does (create, edit, read PPTX files) without the aggressive trigger language. Remove 'regardless of what they plan to do with the content afterward' and similar over-broad activation directives.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Dependencies

The SKILL.md Dependencies section specifies package installations without version pins: 'pip install "markitdown[pptx]"', 'pip install Pillow', and 'npm install -g pptxgenjs'. Unpinned dependencies are vulnerable to supply chain attacks where a malicious version of a package could be published and automatically installed. The pptxgenjs npm package in particular is installed globally (-g flag), increasing the attack surface.
File: SKILL.md
Remediation: Pin all dependencies to specific versions (e.g., 'pip install markitdown[pptx]==0.x.x', 'npm install -g pptxgenjs@3.x.x'). Consider using a requirements.txt or package.json with locked versions. Avoid global npm installs (-g) where possible.



🔵 LOW LLM_DATA_EXFILTRATION — LD_PRELOAD Shim Compiled and Injected at Runtime

The soffice.py script dynamically compiles a C shared library (lo_socket_shim.so) from an embedded C source string and writes it to the system temp directory, then injects it via LD_PRELOAD into the LibreOffice process environment. While the stated purpose is to work around AF_UNIX socket restrictions in sandboxed environments, this pattern (write C code to disk, compile with gcc, inject via LD_PRELOAD) is a technique also used by malware for privilege escalation or environment manipulation. The C code itself appears benign (socket shimming), but the pattern warrants awareness. The shim is only applied when AF_UNIX sockets are blocked (_needs_shim() returns True).
File: scripts/office/soffice.py
Remediation: Document this behavior clearly in the skill's README/manifest. Consider shipping the pre-compiled shim as a binary artifact rather than compiling at runtime, or add a user-visible warning when the shim is activated. Verify the shim source is not modifiable by untrusted input paths.



🔵 LOW LLM_COMMAND_INJECTION — Static Analyzer Flag: eval/exec in Python Code Block (False Positive Assessment)

The static pre-scan flagged a Python eval/exec usage (MDBLOCK_PYTHON_EVAL_EXEC). After reviewing all Python scripts in the skill package, no actual use of eval() or exec() with untrusted input was found. The scripts use defusedxml for XML parsing (a security-conscious choice), subprocess calls with fixed argument lists (not shell=True with user input), and standard file operations. The flag may refer to a code block in a markdown reference file. No exploitable eval/exec pattern was identified in the actual executable scripts.
File: scripts/thumbnail.py
Remediation: No action required for eval/exec. Confirm the static analyzer flag source; if it originates from a documentation code example in a .md file, it is not executable and poses no risk.



pydicom — 🔵 LOW



🔵 LOW LLM_RESOURCE_ABUSE — Unpinned Package Dependencies

The SKILL.md installation instructions use unpinned package versions (e.g., 'uv pip install pydicom', 'uv pip install pillow', 'uv pip install numpy'). Without version pinning, the skill is susceptible to supply chain attacks where a malicious version of a dependency could be installed. This is a low-severity concern for a documentation/guidance skill, but worth noting for production use.
File: SKILL.md
Remediation: Pin dependency versions explicitly (e.g., 'uv pip install pydicom==2.4.4 pillow==10.2.0 numpy==1.26.4'). Consider providing a requirements.txt with pinned versions and hashes.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Manifest Field

The SKILL.md manifest does not specify the 'allowed-tools' field. While this field is optional per the agent skills spec, its absence means there are no declared restrictions on which agent tools this skill may invoke. The skill executes Python scripts and Bash commands, so declaring allowed tools would improve transparency and security posture.
File: SKILL.md
Remediation: Add 'allowed-tools: [Python, Bash]' to the YAML frontmatter to explicitly declare the tools this skill requires.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — License Field Points to External URL Rather Than SPDX Identifier

The license field contains a URL to a GitHub repository rather than a standard SPDX identifier (e.g., 'MIT'). This is a minor provenance concern — the actual license terms are not embedded in the skill package and depend on an external URL that could change.
File: SKILL.md
Remediation: Use a standard SPDX license identifier (e.g., 'license: MIT') in the manifest frontmatter.



pylabrobot — 🔵 LOW



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Metadata

The skill does not specify the 'allowed-tools' field in its YAML manifest. While this is optional per the agent skills spec, it means there are no declared restrictions on which agent tools can be used. Given the skill generates Python code that controls physical laboratory hardware, documenting tool restrictions would improve transparency.
File: SKILL.md
Remediation: Add an 'allowed-tools' field to the YAML manifest specifying which tools are required, e.g., 'allowed-tools: [Python, Bash]'. This improves transparency and allows the agent runtime to enforce restrictions.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing Compatibility Metadata

The skill does not specify the 'compatibility' field in its YAML manifest. Given the skill controls physical laboratory hardware (Hamilton, Tecan, Opentrons robots), documenting platform compatibility and network requirements would be important for users.
File: SKILL.md
Remediation: Add a 'compatibility' field documenting supported platforms and any network requirements (e.g., for Opentrons OT-2 which requires network access to the robot's IP address).



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation Recommendation

The SKILL.md instructions recommend installing PyLabRobot via 'uv pip install pylabrobot' without a version pin. While this is a comment in example code rather than an automated install, if a user or agent follows this instruction, they may install an unverified or compromised version of the package. The skill does not specify a minimum or exact version.
File: SKILL.md
Remediation: Recommend a specific pinned version in the installation comment, e.g., '# uv pip install pylabrobot==0.x.y'. This reduces supply chain risk from unintended package version changes.



pymoo — 🔵 LOW


🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Metadata

The skill does not specify the 'allowed-tools' field in its YAML manifest. While this is optional per the agent skills spec, documenting which tools are used (Python, Bash) would improve transparency and security posture.
File: SKILL.md
Remediation: Add 'allowed-tools: [Python, Bash]' to the YAML frontmatter to explicitly declare the tools this skill uses.



pyopenms — 🔵 LOW



🔵 LOW LLM_DATA_EXFILTRATION — Multiple Referenced Files Not Found in Package

The skill references numerous files that are not present in the package (assets/file_io.md, templates/metabolomics.md, assets/identification.md, pyopenms.py, templates/feature_detection.md, assets/data_structures.md, assets/signal_processing.md, templates/file_io.md, templates/identification.md, templates/data_structures.md, assets/metabolomics.md, assets/feature_detection.md). The static analyzer flagged potential environment variable exfiltration and cross-file exfiltration chains across 2 files. The missing files (particularly pyopenms.py) could contain malicious code that was not available for analysis.
File: SKILL.md
Remediation: Ensure all referenced files are included in the skill package and available for security review. The missing pyopenms.py script is particularly concerning given the static analyzer's detection of environment variable exfiltration and cross-file exfiltration chains. Audit all missing files before deployment.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Declaration

The skill manifest does not specify an 'allowed-tools' field. While this is optional per the agent skills spec, documenting which tools are used (Python, Bash, Read, Write) would improve transparency and security posture for a skill that executes Python code and reads/writes mass spectrometry files.
File: SKILL.md
Remediation: Add an explicit 'allowed-tools' field to the YAML frontmatter listing the tools actually used, e.g., allowed-tools: [Python, Read, Write, Bash]



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing Compatibility Declaration

The skill does not specify a 'compatibility' field in the manifest. Given that the skill installs a large native library (pyopenms) and processes scientific data files, documenting compatibility constraints would help users understand the environment requirements.
File: SKILL.md
Remediation: Add a 'compatibility' field specifying supported platforms and environments, e.g., compatibility: Linux, macOS (requires Python 3.8+, ~500MB disk for pyopenms)



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation

The installation instruction uses 'uv pip install pyopenms' without pinning a specific version. This exposes the skill to supply chain risks if a malicious or compromised version of pyopenms is published to PyPI. Additionally, there is a typo in the install command ('uv uv pip install pyopenms').
File: SKILL.md:30
Remediation: Pin to a specific known-good version, e.g., 'uv pip install pyopenms==3.1.0', and fix the duplicate 'uv uv' typo. Consider adding a hash verification step.



pysam — 🔵 LOW


🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing Compatibility and Allowed-Tools Metadata

The skill manifest does not specify 'compatibility' or 'allowed-tools' fields. While these are optional per the agent skills spec, their absence means there are no declared restrictions on which agent tools this skill may invoke, reducing transparency about the skill's intended operational scope.
File: SKILL.md
Remediation: Add 'compatibility' and 'allowed-tools' fields to the YAML frontmatter to clearly declare the intended execution environment and tool restrictions. For example: allowed-tools: [Python, Bash]



pytdc — 🔵 LOW



🔵 LOW LLM_DATA_EXFILTRATION — Missing Referenced Files May Cause Unexpected Behavior

Several files referenced in the SKILL.md instructions and scripts are not present in the skill package: templates/oracles.md, assets/oracles.md, assets/utilities.md, templates/utilities.md, and tdc.py. While this is not a direct security threat, missing files could cause the agent to attempt to fetch them from external sources or behave unpredictably when referenced. The static pre-scan flagged cross-file exfiltration chain patterns across 2 files, which warrants noting the incomplete file inventory.
File: SKILL.md
Remediation: Ensure all referenced files are bundled within the skill package. Remove references to non-existent files from SKILL.md instructions to prevent the agent from attempting to locate them externally.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools and compatibility Metadata

The skill manifest does not specify 'allowed-tools' or 'compatibility' fields. While these are optional per the agent skills spec, their absence means there are no declared restrictions on which agent tools this skill may use. The scripts execute Python code, load large datasets from the internet (ChEMBL, BindingDB), and perform network-dependent operations (cid2smiles, uniprot2seq database queries), none of which are declared in the manifest.
File: SKILL.md
Remediation: Add 'allowed-tools' to the manifest to explicitly declare which tools are needed (e.g., Python, Bash). Add 'compatibility' to clarify environment requirements. This improves transparency and allows agents to enforce tool restrictions.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation via uv pip install

The SKILL.md instructs users to install PyTDC using 'uv pip install PyTDC' and 'uv pip install PyTDC --upgrade' without version pinning. This means the agent will always install the latest available version of PyTDC, which could introduce supply chain risks if the package is compromised or if a malicious version is published. No version constraint (e.g., PyTDC==0.4.1) is specified.
File: SKILL.md
Remediation: Pin the PyTDC package to a specific known-good version (e.g., 'uv pip install PyTDC==0.4.1'). Avoid using --upgrade in automated contexts without version validation. Consider using a lockfile or hash verification.



pyzotero — 🔵 LOW



🔵 LOW LLM_RESOURCE_ABUSE — Unbounded everything() Calls May Exhaust Resources on Large Libraries

The skill repeatedly recommends using zot.everything(zot.items()) to retrieve all items from a Zotero library without any warnings about resource consumption. For large libraries with tens of thousands of items, this pattern makes sequential API calls that could exhaust memory, consume excessive compute, or trigger API rate limits. The pagination reference file notes this concern only briefly ('large libraries may take time') without providing adequate guardrails.
File: SKILL.md
Remediation: Add explicit warnings about the resource implications of everything() on large libraries. Recommend checking zot.count_items() first and using paginated approaches with since= version parameters for sync workflows. Document memory and rate-limit considerations prominently.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing Compatibility Field in YAML Manifest

The YAML manifest does not specify a 'compatibility' field, which is listed as 'Not specified'. While this is a minor documentation gap, it means users and automated skill discovery systems cannot determine which agent environments this skill is compatible with, potentially leading to unexpected behavior when the skill is used in unsupported contexts.
File: SKILL.md
Remediation: Add a compatibility field to the YAML frontmatter specifying which agent environments (e.g., Claude.ai, Claude Code, API) this skill has been tested with.



🔵 LOW LLM_DATA_EXFILTRATION — Credentials Stored in Environment Variables / .env File

The skill instructs users to store Zotero API keys and library IDs in environment variables or a .env file. While this is a common and generally acceptable practice, the skill does not warn users about the risks of committing .env files to version control or exposing them in shared environments. The authentication reference file also shows hardcoded example credentials (e.g., 'ABC1234XYZ') in code snippets, which could be mistaken for real credentials by less experienced users.
File: references/authentication.md
Remediation: Add explicit warnings to never commit .env files to version control (add .env to .gitignore). Clarify that example credentials like 'ABC1234XYZ' are placeholders only. Consider recommending a secrets manager for production use.



🔵 LOW LLM_DATA_EXFILTRATION — File Dump to Arbitrary User-Specified Paths

The files-attachments reference demonstrates zot.dump() with user-controlled path parameters, writing downloaded PDF content to arbitrary filesystem locations. While this is legitimate functionality, the skill provides no guidance on validating or sanitizing path inputs, which could allow path traversal if the path parameter is derived from untrusted input (e.g., filenames from Zotero metadata containing '../' sequences).
File: references/files-attachments.md
Remediation: Add guidance to validate and sanitize file paths before passing them to dump(). Recommend using os.path.abspath() and checking that the resolved path is within the intended output directory to prevent path traversal.



qiskit — 🔵 LOW



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Dependencies in Installation Instructions

The skill instructs users to install packages using 'uv pip install qiskit', 'uv pip install qiskit-nature', 'uv pip install qiskit-machine-learning', 'uv pip install qiskit-optimization', 'uv pip install qiskit-algorithms', and 'uv pip install qiskit-ibm-runtime' without specifying version pins. Unpinned dependencies can lead to supply chain risks if a malicious or breaking version is published to PyPI.
Remediation: Pin package versions in installation instructions, e.g., 'uv pip install qiskit==1.x.x'. Consider providing a requirements.txt or pyproject.toml with pinned versions for reproducible environments.



🔵 LOW LLM_DATA_EXFILTRATION — API Token Handling in Documentation Examples

The setup documentation (references/setup.md and references/backends.md) includes code examples that show users saving IBM Quantum API tokens using QiskitRuntimeService.save_account(token='YOUR_IBM_QUANTUM_TOKEN') and setting environment variables. While these are standard IBM Quantum patterns and the placeholder 'YOUR_IBM_QUANTUM_TOKEN' is used, the documentation does not warn users against hardcoding real tokens in scripts or committing them to version control.
File: references/backends.md
Remediation: Add explicit warnings in the documentation advising users never to hardcode real API tokens in scripts, to use environment variables or credential managers, and to add token-containing files to .gitignore.



🔵 LOW LLM_COMMAND_INJECTION — Python eval/exec Usage Flagged by Static Analyzer

The static pre-scan flagged a MDBLOCK_PYTHON_EVAL_EXEC finding, indicating a Python code block in the skill's markdown files uses eval or exec. After reviewing all provided reference files (references/setup.md, references/circuits.md, references/algorithms.md, references/patterns.md, references/transpilation.md, references/backends.md, references/visualization.md, references/primitives.md), no actual eval() or exec() calls were found in any of the code blocks. The static analyzer may have triggered on a false positive. No command injection risk was identified in the reviewed content.
File: references/transpilation.md
Remediation: Verify the static analyzer finding against the actual file contents. If eval/exec is present in files not provided for review (e.g., missing files like qiskit.py, scipy.py), inspect those files manually. If confirmed as a false positive, no action is needed.



rdkit — 🔵 LOW



🔵 LOW LLM_COMMAND_INJECTION — Pickle Deserialization in Best Practices Section

The SKILL.md instructions recommend using Python's pickle module for storing and loading molecules as a performance optimization. Pickle deserialization is inherently unsafe when loading files from untrusted sources, as malicious pickle data can execute arbitrary code during deserialization. If a user is directed to load a pickle file from an untrusted source, this could lead to arbitrary code execution.
File: SKILL.md
Remediation: Add a clear warning in the instructions that pickle files should only be loaded from trusted sources. Consider recommending safer serialization alternatives such as storing molecules as SMILES strings or using SDF format for persistence. If pickle must be used, document the security risk explicitly.



🔵 LOW LLM_DATA_EXFILTRATION — Missing allowed-tools Declaration

The skill manifest does not declare an allowed-tools field. While this is optional per the spec, the skill instructs the agent to execute Python scripts and read/write files (SDF, CSV, pickle files). Declaring allowed-tools would help constrain the agent's tool usage to only what is necessary for the skill's stated purpose.
File: SKILL.md
Remediation: Add an explicit allowed-tools declaration to the YAML frontmatter, e.g., allowed-tools: [Python, Read, Write], to limit the agent's tool surface to only what is needed for cheminformatics tasks.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Referenced File rdkit.py Not Found

The SKILL.md instructions reference a file 'rdkit.py' in the skill package, but this file was not found. This could indicate an incomplete skill package or a reference to an external dependency. Missing referenced files may cause unexpected agent behavior when the skill attempts to load or use the file.
File: SKILL.md
Remediation: Either include the rdkit.py file in the skill package or remove the reference from the instructions. Ensure all referenced files are bundled with the skill package.



rowan — 🔵 LOW



🔵 LOW LLM_DATA_EXFILTRATION — API Key Exposed in Plaintext Code Examples

The SKILL.md instruction body contains multiple code examples where the Rowan API key is set directly in Python code as a string literal (e.g., rowan.api_key = "your_api_key_here"). While these are placeholder values, the pattern encourages users to hardcode API keys in scripts rather than using environment variables exclusively. The skill does mention the environment variable approach but presents both as equally valid options.
File: SKILL.md
Remediation: Update all code examples to exclusively use the environment variable pattern (ROWAN_API_KEY). Remove inline API key assignment examples from documentation to discourage insecure credential handling practices.



🔵 LOW LLM_DATA_EXFILTRATION — Referenced Script Files Not Found (rdkit.py, rowan.py)

The SKILL.md references two Python files (rdkit.py and rowan.py) that were not found in the skill package. The static analyzer flagged cross-file exfiltration chains across 6 Python files and environment variable exfiltration patterns. Without being able to inspect these files, their actual behavior cannot be verified. The pre-scan context indicates environment variable access combined with network calls in multiple files, which warrants attention even if the files are part of the legitimate rowan-python library.
File: SKILL.md
Remediation: Ensure all referenced script files are included in the skill package for inspection. Verify that environment variable access (particularly ROWAN_API_KEY) is only transmitted to the legitimate Rowan API endpoints and not to any third-party or attacker-controlled servers. Audit all 6 Python files flagged by the static analyzer.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Broad Trigger Keywords May Cause Unintended Activation

The skill manifest includes a broad set of trigger keywords including generic terms like 'SMILES', 'drug discovery', 'protein structure', and 'batch molecular modeling'. These terms could cause the skill to activate in contexts where the user did not intend to invoke a cloud-based paid service, potentially consuming credits unexpectedly.
File: SKILL.md
Remediation: Narrow trigger keywords to more specific terms that unambiguously indicate intent to use the Rowan cloud platform. Add explicit user confirmation before submitting workflows that consume credits, especially for batch operations.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation

The skill instructs users to install the rowan-python package without specifying a version pin. This means any future compromised or malicious version of the package could be installed automatically, creating a supply chain risk.
File: SKILL.md
Remediation: Pin the package to a specific known-good version, e.g., pip install rowan-python==<version>. Document the expected version and provide a hash-based verification step if possible.



scanpy — 🔵 LOW



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Manifest Field

The SKILL.md manifest does not specify the 'allowed-tools' field. While this is optional per the agent skills spec, documenting which tools are used (Python, Bash, file read/write) would improve transparency and allow runtime enforcement of tool restrictions.
File: SKILL.md
Remediation: Add 'allowed-tools: [Python, Bash, Read, Write]' to the YAML frontmatter to explicitly declare the tools this skill requires.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing Compatibility Field in Manifest

The SKILL.md manifest does not specify the 'compatibility' field, leaving users without information about which agent environments this skill is designed to work with.
File: SKILL.md
Remediation: Add a 'compatibility' field to the YAML frontmatter specifying supported environments (e.g., 'Claude.ai, Claude Code, API').



scientific-brainstorming — 🔵 LOW



🔵 LOW LLM_PROMPT_INJECTION — Reference to Non-Existent Internal Files

The SKILL.md instructions reference 'references/brainstorming_methods.md' (which exists), but also implicitly reference 'assets/brainstorming_methods.md' and 'templates/brainstorming_methods.md' (both not found). The static analyzer detected these as referenced files. While the existing 'references/brainstorming_methods.md' is benign, the presence of multiple path variants for the same logical resource could cause confusion or unintended file resolution if the agent searches for the file by name across directories.
File: SKILL.md
Remediation: Ensure only one canonical path is referenced in SKILL.md and remove or clarify any ambiguous path references. Confirm that 'assets/brainstorming_methods.md' and 'templates/brainstorming_methods.md' are not intended to exist.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Metadata

The skill does not specify the 'allowed-tools' field in its YAML manifest. While this field is optional per the agent skills spec, its absence means there are no declared restrictions on which agent tools this skill may invoke. Given the skill's stated purpose (conversational brainstorming), this is a minor informational gap rather than an active threat.
File: SKILL.md
Remediation: Add an explicit 'allowed-tools' field to the YAML manifest. For a conversational brainstorming skill with no scripts, this could be as minimal as 'allowed-tools: []' or 'allowed-tools: [Read]' to document intended scope.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing Compatibility Metadata

The skill does not specify the 'compatibility' field in its YAML manifest. This is a minor documentation gap that reduces transparency about where the skill is intended to operate.
File: SKILL.md
Remediation: Add a 'compatibility' field to the YAML manifest indicating supported platforms (e.g., 'Claude.ai, Claude Code, API').



scientific-visualization — 🔵 LOW



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Metadata

The SKILL.md manifest does not specify the 'allowed-tools' field. While this is optional per the agent skills spec, documenting which tools (Python, Bash, Read, Write, etc.) are required would improve transparency and allow runtime enforcement of tool restrictions.
File: SKILL.md
Remediation: Add an 'allowed-tools' field to the YAML frontmatter listing the tools actually used, e.g., 'allowed-tools: [Python, Read, Write]'.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing Compatibility Metadata

The SKILL.md manifest does not specify the 'compatibility' field. This reduces transparency about where the skill is intended to run and what environment requirements exist.
File: SKILL.md
Remediation: Add a 'compatibility' field to the YAML frontmatter describing supported environments.



scikit-bio — 🔵 LOW


🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools and compatibility metadata

The SKILL.md manifest does not specify 'allowed-tools' or 'compatibility' fields. While these are optional per the agent skills spec, their absence means there are no declared restrictions on what tools the agent may use when executing this skill. Given the skill's broad scope (file I/O, network references, Python execution), documenting these constraints would improve transparency.
File: SKILL.md
Remediation: Add 'allowed-tools' and 'compatibility' fields to the YAML frontmatter to explicitly declare what tools and environments this skill is intended to use.



scikit-learn — 🔵 LOW



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Manifest Field

The SKILL.md manifest does not specify the 'allowed-tools' field. While this is optional per the agent skills spec, the skill executes Python scripts and performs file writes (saving PNG plots), so documenting the required tools would improve transparency.
File: SKILL.md
Remediation: Add 'allowed-tools: [Python, Bash]' or similar to the YAML frontmatter to document what tools the skill requires.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Malformed Installation Commands in SKILL.md

The installation section contains doubled 'uv' commands (e.g., 'uv uv pip install scikit-learn') which are syntactically incorrect. While not a security threat, this could cause confusion or unexpected behavior if executed literally by an agent.
File: SKILL.md
Remediation: Correct the installation commands to use single 'uv pip install scikit-learn' syntax.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Dependencies

The installation instructions and scripts reference packages (scikit-learn, matplotlib, seaborn, pandas, numpy, imbalanced-learn, umap-learn, category-encoders) without version pins. This creates supply chain risk where a compromised or incompatible package version could be installed.
File: SKILL.md
Remediation: Pin all dependencies to specific versions (e.g., 'scikit-learn==1.4.0') to ensure reproducibility and reduce supply chain risk.



scikit-survival — 🔵 LOW



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Skill Description with Excessive Trigger Keywords

The skill description and 'When to Use This Skill' section contain an extensive list of trigger keywords and use cases (Cox models, Random Survival Forests, Gradient Boosting, Survival SVMs, concordance index, Brier score, competing risks, etc.). While this is a legitimate documentation practice for a comprehensive toolkit, the breadth of activation triggers could cause the skill to be invoked for a wide range of survival analysis queries, potentially displacing other more specialized skills.
File: SKILL.md
Remediation: This is a minor concern for a comprehensive toolkit skill. Consider scoping the description more precisely if skill conflicts arise in multi-skill environments.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools and Compatibility Metadata

The YAML manifest does not specify 'allowed-tools' or 'compatibility' fields. While these are optional per the agent skills spec, their absence means there are no declared restrictions on what tools the agent may use when executing this skill. Given the skill references Python code examples and file reads, declaring allowed tools would improve transparency and security posture.
File: SKILL.md
Remediation: Add 'allowed-tools: [Read, Python]' and a compatibility field to the YAML frontmatter to explicitly scope the skill's tool access.



scvelo — 🔵 LOW



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Unresolved Referenced Files May Indicate Stale Manifest

The skill references matplotlib.py, scvelo.py, and scanpy.py as files in the instructions, but none of these files exist in the skill package. These appear to be false positives from the static analyzer misidentifying Python import statements as file references, but the discrepancy between declared references and actual files could indicate an incomplete or stale skill package.
File: SKILL.md
Remediation: Verify the skill package is complete and that all referenced files are included. If these are import statements misidentified as file references, no action is needed. Ensure the skill manifest accurately reflects the package contents.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation Recommended

The SKILL.md instructs users to install scvelo via pip install scvelo without a version pin. While this is a legitimate, well-known bioinformatics package, unpinned installations can expose users to supply chain risks if the package is compromised or a malicious version is published. The skill also depends on scanpy, numpy, and matplotlib without version constraints.
File: SKILL.md
Remediation: Recommend pinning to a specific known-good version, e.g., pip install scvelo==0.2.5. Consider providing a requirements.txt or conda environment file with pinned dependencies.



🔵 LOW LLM_DATA_EXFILTRATION — Static Analyzer Flags Potential Environment Variable / Network Cross-File Chain — Low Confidence

The pre-scan static analyzer flagged BEHAVIOR_ENV_VAR_EXFILTRATION and BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN across 3 files. Manual review of the provided script (rna_velocity_workflow.py) shows no evidence of environment variable access, credential harvesting, or network exfiltration. The script uses only local file I/O (os.makedirs, adata.write_h5ad) and calls to the scvelo/scanpy libraries. The static analyzer findings appear to be false positives, possibly triggered by library calls that internally use network or environment variables (e.g., scv.datasets.pancreas() downloads a dataset). This is flagged at LOW severity for transparency.
File: scripts/rna_velocity_workflow.py
Remediation: No immediate action required. The dataset download in the demo main block (scv.datasets.pancreas()) fetches data from the scVelo project's remote servers, which is expected behavior for a demo. If operating in a restricted network environment, pre-download the dataset and load it locally instead.



scvi-tools — 🔵 LOW



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing Compatibility and Allowed-Tools Metadata

The skill manifest does not specify 'compatibility' or 'allowed-tools' fields. While these are optional per the agent skills spec, their absence means there are no declared restrictions on tool usage or environment compatibility. This is informational only and does not represent a direct threat, but reduces transparency about the skill's intended operating environment.
File: SKILL.md
Remediation: Add 'compatibility' and 'allowed-tools' fields to the YAML frontmatter to clearly document the intended execution environment and tool restrictions.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation

The installation instructions use 'uv pip install scvi-tools' and 'uv pip install scvi-tools[cuda]' without version pinning. This means the agent could install any version of the package, including potentially compromised future versions. Without a pinned version, supply chain attacks via malicious package updates are possible.
File: SKILL.md
Remediation: Pin the package version explicitly, e.g., 'uv pip install scvi-tools==1.1.0' to ensure reproducibility and reduce supply chain risk.



shap — 🔵 LOW



🔵 LOW LLM_DATA_EXFILTRATION — Missing allowed-tools Declaration

The skill does not declare an allowed-tools field in its YAML manifest. While this field is optional per the spec, its absence means there are no declared restrictions on what tools the agent may use when executing this skill. Given the skill references Python code patterns and file I/O operations (joblib, model loading/saving), declaring allowed-tools would improve transparency and reduce the risk of unintended tool use.
File: SKILL.md
Remediation: Add an explicit allowed-tools declaration to the YAML manifest, e.g., allowed-tools: [Read, Python] to limit the skill to only the tools it legitimately needs.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Capability Claims in Skill Description

The skill description is extremely broad, claiming to work with virtually all model types (tree-based, deep learning, linear, black-box) and covering a wide range of use cases. While this may reflect legitimate functionality, the description is crafted to maximize activation across many different user queries, which could be considered capability inflation for discovery purposes.
File: SKILL.md
Remediation: Scope the description to the core functionality. Avoid listing exhaustive trigger phrases that maximize activation breadth beyond what is necessary.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation Instructions

The installation section recommends installing packages without version pins (e.g., 'uv pip install shap', 'uv pip install -U shap'). Unpinned installations are vulnerable to supply chain attacks where a malicious version of a package could be installed. The '-U' flag explicitly upgrades to the latest version, which could introduce a compromised release.
File: SKILL.md
Remediation: Pin package versions to known-good releases, e.g., 'uv pip install shap==0.44.0 matplotlib==3.8.0'. Avoid using the -U (upgrade) flag in skill instructions as it bypasses version pinning.



simpy — 🔵 LOW



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Manifest Field

The SKILL.md manifest does not specify the 'allowed-tools' field. While this is optional per the agent skills spec, documenting which tools are used (Python, Bash, Read, Write) would improve transparency and allow agents to enforce capability restrictions.
File: SKILL.md
Remediation: Add 'allowed-tools: [Python, Read, Write]' to the YAML frontmatter to explicitly declare the tools this skill requires.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing Compatibility Field

The SKILL.md manifest does not specify the 'compatibility' field, leaving it unclear which agent environments this skill is designed to work with.
File: SKILL.md
Remediation: Add a 'compatibility' field to the YAML frontmatter specifying supported environments (e.g., 'Claude.ai, Claude Code, API').



stable-baselines3 — 🔵 LOW



🔵 LOW LLM_DATA_EXFILTRATION — Missing allowed-tools Declaration

The skill manifest does not specify an allowed-tools field. While this is optional per the spec, the skill executes Python scripts that perform file I/O, subprocess spawning (SubprocVecEnv), and directory creation. Declaring allowed-tools would improve transparency about the skill's capabilities.
File: SKILL.md
Remediation: Add an explicit allowed-tools field to the YAML frontmatter listing the tools actually used, e.g., allowed-tools: [Python, Bash].



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing Compatibility Metadata

The skill does not specify a compatibility field in the YAML manifest. This is a minor documentation gap that could lead to the skill being used in unsupported contexts.
File: SKILL.md
Remediation: Add a compatibility field specifying supported platforms and agent environments.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation

The skill instructs users to install stable-baselines3 without version pinning. This exposes users to supply chain risks where a compromised or malicious package version could be installed.
File: SKILL.md
Remediation: Pin the package to a specific known-good version, e.g., uv pip install stable-baselines3==2.3.2[extra], and document the expected version in the manifest.



tiledbvcf — 🔵 LOW



🔵 LOW LLM_DATA_EXFILTRATION — Missing Referenced Script Files

The SKILL.md references two Python files (tiledbvcf.py and tiledb.py) in its instructions, but neither file is present in the skill package. This means the skill's actual executable behavior cannot be fully audited. If these files exist at runtime, their content is unknown and could contain data exfiltration, credential theft, or other malicious behavior that cannot be reviewed.
File: SKILL.md
Remediation: Include all referenced script files in the skill package so they can be audited. Do not reference external or missing files in skill instructions.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools and compatibility Metadata

The SKILL.md does not specify the 'allowed-tools' or 'compatibility' fields in the YAML frontmatter. While these fields are optional per the agent skills spec, their absence means there are no declared restrictions on which agent tools this skill may invoke, reducing transparency and auditability of the skill's intended scope.
File: SKILL.md
Remediation: Add 'allowed-tools' to the YAML frontmatter to explicitly declare which agent tools (Read, Write, Bash, Python, etc.) this skill is permitted to use. Add 'compatibility' to clarify supported environments.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation Without Version Constraints

The skill instructs users to install packages (tiledb-cloud, tiledb-cloud[life-sciences]) via pip without version pinning. Unpinned installations are vulnerable to supply chain attacks where a malicious version of a package could be published and automatically installed, potentially compromising the user's environment.
File: SKILL.md
Remediation: Pin pack
567B
age versions explicitly (e.g., 'pip install tiledb-cloud==0.12.0') and consider using a requirements.txt with hashes for reproducible and secure installations.



timesfm-forecasting — 🔵 LOW



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing compatibility Field in Manifest

The YAML manifest does not specify a compatibility field. While this is a LOW severity informational finding per the analysis framework, the skill has significant hardware requirements (RAM, GPU, disk space) that would benefit from explicit compatibility declarations to prevent misuse on incompatible systems.
File: SKILL.md
Remediation: Add a compatibility field to the YAML frontmatter specifying minimum hardware requirements, e.g.: compatibility: 'Requires Python 3.10+, 4GB RAM minimum, ~1GB disk for model weights. Works on Linux/macOS/Windows with CPU or CUDA/MPS GPU.'



🔵 LOW LLM_COMMAND_INJECTION — Python eval/exec Usage Flagged by Static Analyzer

The static pre-scan flagged a Python code block using eval/exec. After reviewing all script files in detail, no actual use of eval() or exec() with user-controlled input was found in the provided scripts (check_system.py, forecast_csv.py, demo_covariates.py, detect_anomalies.py, run_forecast.py, visualize_forecast.py, generate_gif.py, generate_html.py, generate_animation_data.py). The static analyzer may have triggered on a false positive within documentation code blocks or the HTML template string in generate_html.py which contains JavaScript (not Python eval/exec). No exploitable command injection pattern was identified.
File: examples/global-temperature/generate_html.py
Remediation: No immediate action required. Confirm the static analyzer finding is a false positive by reviewing the exact line flagged. If JavaScript within Python string templates is a concern, consider storing the HTML template as a separate .html file rather than embedding it in Python source.



🔵 LOW LLM_DATA_EXFILTRATION — Missing allowed-tools Restriction for Network/Download Operations

The skill declares allowed-tools: [Read Write Edit Bash] but the instructions and scripts trigger automatic model weight downloads from HuggingFace (google/timesfm-2.5-200m-pytorch) on first use. While this is expected behavior for a model-loading skill, the allowed-tools declaration does not explicitly account for network access. The skill also uses subprocess calls in check_system.py (sysctl on macOS, vm_stat) which execute system commands. These are legitimate but worth noting.
File: scripts/check_system.py
Remediation: Document in SKILL.md that network access to HuggingFace is required for model download. The subprocess calls use fixed command strings (no user input interpolation) so they are safe as-is. Consider adding a note about the network requirement in the manifest description.



usfiscaldata — 🔵 LOW



🔵 LOW LLM_DATA_EXFILTRATION — Missing allowed-tools Declaration

The skill manifest does not declare an 'allowed-tools' field. While this is optional per the spec, the skill makes outbound HTTP requests to the U.S. Treasury API (fiscaldata.treasury.gov) and uses Python/pandas. Without an explicit allowed-tools declaration, there is no manifest-level constraint on what tools the agent may use when executing this skill.
File: SKILL.md
Remediation: Add 'allowed-tools: [Python]' or appropriate tool restrictions to the YAML frontmatter to document and constrain the skill's tool usage.



🔵 LOW LLM_PROMPT_INJECTION — Multiple Referenced Files Not Found

The SKILL.md references numerous files (assets/, templates/) that do not exist in the skill package. While the found reference files (references/*.md) appear benign, the missing files represent an incomplete package. If these files were later added with malicious content, the skill would load them as trusted internal resources. The static analyzer also flagged cross-file exfiltration chain patterns across 2 files, though no explicit malicious code was found in the available files.
File: SKILL.md
Remediation: Remove references to non-existent files from SKILL.md, or include all referenced files in the skill package. Audit the complete file inventory to ensure no unexpected files are present.



🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Capability Claims in Description

The skill description claims access to '54 datasets and 182 data tables' and uses extensive keyword baiting (national debt, government spending, revenue, interest rates, exchange rates, savings bonds, Debt to the Penny, Daily Treasury Statements, Monthly Treasury Statements, Treasury securities auctions, foreign exchange rates). While the API does support these datasets, the description is optimized for broad activation across many fiscal data queries, which could lead to over-triggering of the skill in contexts where simpler approaches would suffice.
File: SKILL.md
Remediation: Narrow the description to core use cases rather than exhaustively listing all possible trigger keywords. This reduces unintended activation.



🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Missing Compatibility and Version Metadata

The skill does not specify compatibility information or library version requirements. The Python examples use 'requests' and 'pandas' without version pins. While no pip install commands are present in the skill itself, the lack of version constraints means the agent may use whatever versions are installed, potentially including vulnerable versions.
File: SKILL.md
Remediation: Add compatibility metadata and document minimum required library versions (e.g., requests>=2.28.0, pandas>=1.5.0) in the skill documentation.



pydeseq2 — ⚪ INFO


⚪ INFO LLM_ANALYSIS_FAILED — LLM analysis failed

The LLM analyzer encountered an error and could not complete semantic analysis: litellm.BadRequestError: AnthropicException - {"type":"error","error":{"type":"invalid_request_error","message":"Not Found"},"request_id":"req_011CZxTdutjghfdkjFonD8HZ"}
Remediation: Check your LLM provider configuration (API key, model name, network connectivity). The scan completed with static analysis only — LLM-based threat detection was not performed.

Security: K-Dense-AI/scientific-agent-skills

Security

SECURITY.md

Security Scan Report

Summary

Detailed Findings

citation-management — 🔴 CRITICAL

clinical-decision-support — 🔴 CRITICAL

clinical-reports — 🔴 CRITICAL

dask — 🔴 CRITICAL

hypothesis-generation — 🔴 CRITICAL

infographics — 🔴 CRITICAL

latex-posters — 🔴 CRITICAL

literature-review — 🔴 CRITICAL

markitdown — 🔴 CRITICAL

peer-review — 🔴 CRITICAL

pptx-posters — 🔴 CRITICAL

research-grants — 🔴 CRITICAL

research-lookup — 🔴 CRITICAL

scholar-evaluation — 🔴 CRITICAL

scientific-critical-thinking — 🔴 CRITICAL

scientific-schematics — 🔴 CRITICAL

scientific-slides — 🔴 CRITICAL

scientific-writing — 🔴 CRITICAL

seaborn — 🔴 CRITICAL

treatment-plans — 🔴 CRITICAL

umap-learn — 🔴 CRITICAL

venue-templates — 🔴 CRITICAL

consciousness-council — 🟠 HIGH

dhdna-profiler — 🟠 HIGH

esm — 🟠 HIGH

geomaster — 🟠 HIGH

modal — 🟠 HIGH

pathml — 🟠 HIGH

polars — 🟠 HIGH

primekg — 🟠 HIGH

pyhealth — 🟠 HIGH

pytorch-lightning — 🟠 HIGH

qutip — 🟠 HIGH

sympy — 🟠 HIGH

torch-geometric — 🟠 HIGH

torchdrug — 🟠 HIGH

transformers — 🟠 HIGH

what-if-oracle — 🟠 HIGH

zarr-python — 🟠 HIGH

bgpt-paper-search — 🟡 MEDIUM

cobrapy — 🟡 MEDIUM

database-lookup — 🟡 MEDIUM

datamol — 🟡 MEDIUM

depmap — 🟡 MEDIUM

dnanexus-integration — 🟡 MEDIUM

exploratory-data-analysis — 🟡 MEDIUM

histolab — 🟡 MEDIUM

imaging-data-commons — 🟡 MEDIUM

labarchive-integration — 🟡 MEDIUM

lamindb — 🟡 MEDIUM

open-notebook — 🟡 MEDIUM

parallel-web — 🟡 MEDIUM

pennylane — 🟡 MEDIUM

perplexity-search — 🟡 MEDIUM

phylogenetics — 🟡 MEDIUM

protocolsio-integration — 🟡 MEDIUM

pufferlib — 🟡 MEDIUM

pymatgen — 🟡 MEDIUM

statsmodels — 🟡 MEDIUM

vaex — 🟡 MEDIUM

xlsx — 🟡 MEDIUM

adaptyv — 🔵 LOW

arboreto — 🔵 LOW

benchling-integration — 🔵 LOW

biopython — 🔵 LOW

bioservices — 🔵 LOW

cellxgene-census — 🔵 LOW

deeptools — 🔵 LOW

docx — 🔵 LOW

etetoolkit — 🔵 LOW

flowio — 🔵 LOW

fluidsim — 🔵 LOW

generate-image — 🔵 LOW

geniml — 🔵 LOW