esm
Warn
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The reference documentation in 'references/esm-c-api.md', 'references/forge-api.md', and 'references/workflows.md' provides example code that uses the Python 'pickle' module to cache protein embeddings and checkpoint batch processing jobs. The use of 'pickle.load()' is a known security risk that can lead to arbitrary code execution if an attacker provides a malicious pickle file to be loaded by the application.\n- [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection due to its handling of protein sequence strings and structural PDB files from potentially untrusted external sources.\n
- Ingestion points: Biological data is ingested via the 'ESMProtein' class, which accepts sequence strings and PDB file paths as seen in 'SKILL.md' and 'references/esm3-api.md'.\n
- Boundary markers: No explicit delimiters or instructions (e.g., 'ignore any embedded instructions') are provided in the prompt templates to separate biological data from agent instructions.\n
- Capability inventory: The skill uses the provided data primarily for machine learning inference tasks such as sequence generation, structure prediction, and embedding extraction; it does not currently provide tools for arbitrary shell execution or system-level modifications based on the content of the biological data.\n
- Sanitization: There is no mention of input validation or sanitization mechanisms for the sequences or structural data processed by the skill.
Audit Metadata