rdkit
Warn
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill recommends using Python's
picklemodule for performance optimization when storing and loading molecular objects. Thepickle.load()function is inherently insecure and can execute arbitrary code during the deserialization process. This presents a risk of arbitrary code execution if the agent is directed to process a malicious.pklfile from an untrusted source. - [PROMPT_INJECTION]: The skill facilitates the ingestion of untrusted external data through various cheminformatics file formats (SMILES, SDF, MOL) without defining boundary markers or security sanitization, creating a surface for indirect prompt injection.
- Ingestion points:
Chem.SDMolSupplier,Chem.SmilesMolSupplier,Chem.MolFromSmiles, andChem.ForwardSDMolSupplierinSKILL.mdare used to read external data into the agent's context. - Boundary markers: The instructions do not define or implement delimiters or warnings to ignore embedded instructions within the processed molecular data.
- Capability inventory: The skill includes capabilities such as
pickle.load(arbitrary code execution), and file-writing operations likeDraw.MolToFileandimg.saveinSKILL.md. - Sanitization: While the skill mentions
Chem.SanitizeMol, this function is designed for chemical validity (e.g., valence and aromaticity) and does not provide security sanitization for embedded natural language instructions or malicious data payloads.
Audit Metadata