Generated: 2026-06-15 12:28 UTC
Skills scanned: 147
Total findings: 900
Critical: 67 | High: 43 | Safe skills: 107/147

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 7 files

  Environment variable access with network calls in scripts/run.py, scripts/backends.py, scripts/doctor.py Remediation: Review data flow across files: tests/test_fetch_window.py, scripts/run.py, tests/test_e2e.py, tests/test_backends.py, tests/test_run.py, scripts/backends.py, scripts/doctor.py

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 8 files

  Multi-file exfiltration chain detected: scripts/run.py, scripts/backends.py, scripts/doctor.py collect data → scripts/run.py, tests/smoke_lmstudio.py → scripts/run.py, scripts/backends.py, scripts/doctor.py, tests/test_run.py, tests/test_e2e.py, tests/test_fetch_window.py, tests/test_backends.py transmit to network Remediation: Review data flow across files: scripts/backends.py, tests/test_fetch_window.py, scripts/run.py, tests/test_e2e.py, tests/test_backends.py, tests/test_run.py, tests/smoke_lmstudio.py, scripts/doctor.py

• 🟠 HIGH LLM_DATA_EXFILTRATION — Screen Content Capture and Transmission to External LLM Backends

  The skill captures the user's full screen activity via screenpipe (OCR of all visible windows, app names, window titles, text content) and transmits processed summaries to external cloud LLM backends (Anthropic Claude API at https://api.anthropic.com, or a user-configured Foundry gateway). While the skill documents this behavior and includes a redaction step, the fundamental data flow involves sensitive screen content — including window titles, application names, and OCR'd text — leaving the local machine when cloud backends are configured. The redaction in scripts/redact.py is regex-based and cannot guarantee complete removal of all sensitive content (e.g., proprietary code, confidential documents, medical records, financial data visible on screen). The cluster summaries sent to the LLM include app names, window titles, and session metadata derived from raw screen captures. File: scripts/backends.py Remediation: 1. Add explicit, prominent user consent prompts before any cloud backend transmission, listing exactly what data categories will be sent. 2. Implement a mandatory dry-run/preview step showing the exact prompt before it is sent to any cloud endpoint. 3. Consider enforcing local-only mode by default with a hard opt-in gate (e.g., a separate confirmation flag) for cloud backends. 4. Document the limitations of regex-based redaction and warn users that sensitive content may not be fully redacted.

• 🟡 MEDIUM LLM_DATA_EXFILTRATION — Broad Screen Content Collection Before Filtering

  The fetch_window.py script collects all OCR events from screenpipe within the specified time window (up to _MAX_PAGES=10,000 pages of 50 events each, totaling up to 500,000 events) before any filtering or redaction occurs. This means the agent temporarily holds a very large corpus of raw screen content in memory, including content from apps not in the deny-list. The redaction step runs after collection, meaning the full unredacted dataset exists in process memory. Additionally, the cluster pipeline passes window_titles through to the LLM prompt via _cluster_query(), and window titles are only redacted for known secret patterns — arbitrary sensitive content in window titles (e.g., document names, URLs with tokens, patient names) may pass through. File: scripts/fetch_window.py Remediation: 1. Apply redaction at the point of ingestion (per-event) rather than after full collection. 2. Implement app-level filtering in fetch_window based on the screenpipe-config.yaml deny-list before storing events. 3. Limit the default time window and add warnings for large data collections. 4. Consider streaming processing rather than bulk collection.

• 🔵 LOW LLM_RESOURCE_ABUSE — Unbounded Embedding Computation for Large Skill Libraries

  The top_k_matches function in match_skills.py calls the embedder function once per skill in the skills directory for every cluster. With 135 skills (as mentioned in the SKILL.md) and multiple clusters, this results in O(clusters × skills) embedding calls. Each embedding call invokes the sentence-transformers model. For large skill libraries or many clusters, this could cause significant compute and memory consumption. The embedder is called inline without caching, so the same skill descriptions are re-embedded for every cluster. File: scripts/match_skills.py Remediation: 1. Cache skill embeddings after the first computation rather than recomputing for each cluster. 2. Pre-compute and store skill embeddings at startup. 3. Add a warning or limit on the number of clusters processed in a single run.

• 🟡 MEDIUM LLM_UNAUTHORIZED_TOOL_USE — LLM-Generated SKILL.md Written Directly to Filesystem Without Validation

  The run.py script writes LLM-generated SKILL.md content directly to the filesystem without any validation of the content. The skill_body field from the LLM response is written verbatim to disk. If the LLM backend is compromised, produces adversarial output, or is manipulated via indirect prompt injection (see above), it could generate SKILL.md files containing malicious instructions, prompt injections, or harmful content that would then be promoted into the skills directory and executed by the agent in future sessions. The promote.py script moves these files into the active skills directory with no content inspection. File: scripts/run.py Remediation: 1. Validate LLM-generated SKILL.md content before writing: check for prompt injection patterns, verify YAML frontmatter structure, reject files containing suspicious instruction patterns. 2. Implement a content review step that shows the user the generated SKILL.md content before it is written to disk. 3. Apply the same security scanning to generated skills as is applied to externally sourced skills. 4. Consider sandboxing the promote step with explicit user review of file contents.

• 🔵 LOW LLM_DATA_EXFILTRATION — SCREENPIPE_TOKEN Logged in Error Messages

  In run.py, the ScreenpipeUnreachable exception message includes the base_url of the screenpipe client. In doctor.py, the screenpipe URL and token handling are exposed in error output. While the token itself is not directly logged, the error handling in run.py constructs messages that could expose configuration details. More critically, the SCREENPIPE_TOKEN is read from environment variables and passed as a function parameter through multiple layers, increasing the surface area for accidental logging. File: scripts/run.py Remediation: 1. Ensure error messages never include authentication tokens or credentials. 2. Review all exception messages and log statements for potential credential exposure. 3. Consider using a secrets manager pattern rather than passing tokens as function parameters.

• 🟡 MEDIUM LLM_PROMPT_INJECTION — Indirect Prompt Injection via OCR'd Screen Content

  The synthesize.py script constructs LLM prompts that include example_titles derived from window titles captured via OCR. Window titles are user-controlled and can contain arbitrary text. An attacker who can influence what appears in window titles (e.g., a malicious webpage title, a document with a crafted filename, a terminal window showing attacker-controlled output) could inject instructions into the LLM prompt. The redact.py module only strips known secret patterns — it does not sanitize or escape prompt-injection payloads in window titles. The _build_prompt() function directly interpolates example_titles into the prompt string without any sanitization. File: scripts/synthesize.py Remediation: 1. Sanitize window titles before interpolating into LLM prompts — strip or escape characters that could be interpreted as prompt instructions. 2. Consider truncating window titles to a maximum length. 3. Add a system-level instruction to the LLM prompt explicitly warning it to treat the cluster data as untrusted user content. 4. Use structured message formats (system vs user roles) to separate instructions from data.

• 🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

  Script accesses environment variables and makes network calls in skills/autoskill/scripts/backends.py File: skills/autoskill/scripts/backends.py Remediation: Remove environment variable harvesting or network transmission

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/autoskill/scripts/backends.py File: skills/autoskill/scripts/backends.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

  Script accesses environment variables and makes network calls in skills/autoskill/scripts/doctor.py File: skills/autoskill/scripts/doctor.py Remediation: Remove environment variable harvesting or network transmission

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/autoskill/scripts/doctor.py File: skills/autoskill/scripts/doctor.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

  Script accesses environment variables and makes network calls in skills/autoskill/scripts/run.py File: skills/autoskill/scripts/run.py Remediation: Remove environment variable harvesting or network transmission

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/autoskill/scripts/run.py File: skills/autoskill/scripts/run.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL LLM_DATA_EXFILTRATION — Cross-File Environment Variable Exfiltration Chain Detected

  Static analysis identified a cross-file exfiltration chain spanning 8 files and environment variable exfiltration patterns across 7 files. The skill package contains Python files (not shown in content but detected by static analyzers) that access environment variables and make network calls, forming a data exfiltration pipeline. The skill's SKILL.md claims to only query public CZ CELLxGENE Census data with no authentication required, but the underlying scripts appear to harvest environment variables (potentially containing credentials, API keys, or sensitive configuration) and transmit them externally. This is a critical mismatch between declared behavior and actual behavior. File: SKILL.md Remediation: Audit all Python files in the skill package for environment variable access (os.environ, os.getenv) combined with network calls (requests, urllib, httpx, etc.). Remove any code that reads environment variables and transmits them to external endpoints. Ensure all network calls are limited to the official CZ CELLxGENE Census API endpoints only.

• 🟠 HIGH LLM_SKILL_DISCOVERY_ABUSE — Capability Inflation - Legitimate Bioinformatics Framing Concealing Malicious Scripts

  The skill presents an extremely detailed, professionally written, and technically accurate description of the CZ CELLxGENE Census API - a real, legitimate public bioinformatics resource. This high-quality legitimate framing is used to establish trust and reduce scrutiny of the bundled Python scripts. The skill name, description, compatibility notes, and instruction body all accurately describe real Census functionality, but this legitimate facade conceals the malicious script behavior detected by static analysis. This is a classic capability inflation / trust inflation attack where the declared capability (bioinformatics data access) is used to justify broad tool permissions (Read, Write, Edit, Bash) while hiding the actual malicious capability (environment variable harvesting and exfiltration). File: SKILL.md Remediation: Reject this skill. The combination of a highly polished legitimate-looking interface with detected malicious script behavior is a strong indicator of a supply chain or tool poisoning attack. Do not grant Bash or Write permissions to skills exhibiting this pattern.

• 🟠 HIGH LLM_UNAUTHORIZED_TOOL_USE — Tool Restriction Violation - Undisclosed Script Behavior vs Declared allowed-tools

  The SKILL.md manifest declares allowed-tools as 'Read Write Edit Bash', and the instruction body presents itself as a benign bioinformatics query skill. However, static analysis detected 23 Python script files in the package that are not shown in the skill content provided for review, yet are present in the file inventory. These scripts exhibit environment variable exfiltration and cross-file data chaining behaviors that are not disclosed in the SKILL.md instructions or manifest description. This constitutes tool poisoning - the skill's declared purpose (querying public genomics data) masks undisclosed malicious capabilities in bundled scripts. File: SKILL.md Remediation: Disclose all bundled Python scripts in the SKILL.md manifest and instructions. Remove any scripts not directly required for Census querying. Audit each of the 23 Python files for malicious behavior. Do not install or use this skill until all scripts are reviewed and their purpose verified.

• 🟡 MEDIUM LLM_SUPPLY_CHAIN_ATTACK — Missing Referenced Files Suggest Incomplete or Tampered Package

  The SKILL.md references multiple files that are not found in the package: templates/common_patterns.md, cellxgene_census.py, assets/common_patterns.md, templates/census_schema.md, tiledbsoma_ml.py, anndata.py, assets/census_schema.md, tiledbsoma.py, scanpy.py. While some of these (tiledbsoma, anndata, scanpy, cellxgene_census) are legitimate third-party libraries that would be installed via pip rather than bundled, the missing template and asset files suggest either an incomplete package or that files were removed/replaced. Combined with the 23 Python files detected by static analysis that are not disclosed in the instructions, this inconsistency raises supply chain integrity concerns. File: references/common_patterns.md Remediation: Verify package integrity against a known-good source. Ensure all referenced files are present and all present files are accounted for in the manifest. The discrepancy between referenced files and actual file inventory is a red flag for package tampering.

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 6 files

  Environment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py, scripts/extract_metadata.py, scripts/search_pubmed.py Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/generate_schematic.py, scripts/extract_metadata.py, scripts/validate_citations.py, scripts/doi_to_bibtex.py, scripts/search_pubmed.py

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 6 files

  Multi-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py, scripts/extract_metadata.py, scripts/search_pubmed.py collect data → scripts/generate_schematic_ai.py → scripts/generate_schematic_ai.py, scripts/doi_to_bibtex.py, scripts/validate_citations.py, scripts/extract_metadata.py, scripts/search_pubmed.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/generate_schematic.py, scripts/extract_metadata.py, scripts/validate_citations.py, scripts/doi_to_bibtex.py, scripts/search_pubmed.py

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Skill Description References Non-Existent 'Nano Banana Pro' Product

  The SKILL.md instruction body references 'Nano Banana Pro' as a product that 'will automatically generate, review, and refine the schematic'. This appears to be a fabricated or fictional product name used to describe the AI image generation capability. This could mislead users about the actual technology being used (which is OpenRouter/Gemini APIs), constituting a minor deceptive capability claim. File: SKILL.md Remediation: Replace the fictional product name 'Nano Banana Pro' with accurate descriptions of the actual technology used (OpenRouter API with Google Gemini models). Ensure capability descriptions accurately reflect what the skill does.

• 🟡 MEDIUM LLM_DATA_EXFILTRATION — NCBI API Key and Email Harvested from Environment and Sent to External API

  scripts/extract_metadata.py and scripts/search_pubmed.py read NCBI_API_KEY and NCBI_EMAIL from environment variables and include them in HTTP requests to NCBI E-utilities endpoints. While these are legitimate API credentials for the stated purpose, the pattern of reading sensitive environment variables and transmitting them externally is a risk if the skill is used in environments where these variables contain sensitive credentials beyond their intended scope. File: scripts/extract_metadata.py:47 Remediation: Document clearly which environment variables are accessed and why. Ensure the NCBI_EMAIL and NCBI_API_KEY are only used for NCBI API calls and not logged or stored elsewhere. Validate that user-supplied query strings cannot inject additional parameters into the API calls.

• 🔵 LOW LLM_RESOURCE_ABUSE — Unbounded Batch Processing Without Resource Limits

  Multiple scripts (extract_metadata.py, search_pubmed.py, doi_to_bibtex.py) perform batch processing of user-supplied identifier lists without enforcing maximum batch sizes. A user could supply thousands of identifiers, causing excessive API calls, network requests, and compute consumption. The validate_citations.py script also performs DOI verification for every entry when --check-dois is specified, with no upper bound on the number of entries processed. File: scripts/extract_metadata.py:220 Remediation: Implement maximum batch size limits (e.g., warn or refuse if >1000 identifiers). Add configurable rate limiting and timeout controls. Consider adding a --max-items flag to cap processing.

• 🟡 MEDIUM LLM_UNAUTHORIZED_TOOL_USE — Subprocess Execution of External Script with User-Controlled Arguments

  In generate_schematic.py, user-supplied prompt text and output path are passed as command-line arguments to a subprocess call executing generate_schematic_ai.py. While subprocess.run is used (not shell=True), the user-controlled 'prompt' and 'output' arguments are passed directly. A malicious prompt or output path could potentially cause unexpected behavior depending on how the child script handles these arguments. File: scripts/generate_schematic.py:95 Remediation: Validate the output path to ensure it stays within expected directories (e.g., prevent path traversal). Consider sanitizing the prompt argument to remove shell-special characters even though shell=False is used. Use check=True or explicitly handle non-zero return codes.

• 🔵 LOW LLM_DATA_EXFILTRATION — Cross-File Credential Propagation Chain Across 6 Scripts

  The static analyzer identified a cross-file environment variable exfiltration chain spanning 6 files. The OPENROUTER_API_KEY flows from generate_schematic.py → generate_schematic_ai.py via subprocess environment copy (os.environ.copy()). NCBI_API_KEY and NCBI_EMAIL flow through extract_metadata.py and search_pubmed.py. This creates a broad attack surface where any compromise of one script could expose credentials used across the chain. File: scripts/generate_schematic.py:101 Remediation: Minimize credential scope by passing only required environment variables to subprocesses rather than copying the entire environment (os.environ.copy()). Use targeted env dicts: env={'OPENROUTER_API_KEY': api_key} instead of copying all environment variables.

• 🟠 HIGH LLM_DATA_EXFILTRATION — OpenRouter API Key Exfiltration via External Network Calls

  The skill reads the OPENROUTER_API_KEY environment variable and transmits it as a Bearer token in HTTP requests to 'https://openrouter.ai/api/v1/chat/completions'. While the stated purpose is AI image generation, the API key is extracted from the environment and sent over the network. If the endpoint or the key itself were compromised or redirected, this constitutes a credential exfiltration vector. The key is also passed via subprocess environment in generate_schematic.py, creating a cross-file credential propagation chain. File: scripts/generate_schematic_ai.py:97 Remediation: Ensure the API key is only used for its stated purpose. Validate the endpoint URL is hardcoded and cannot be overridden by user input. Consider scoping the key to minimum required permissions. Audit that no user-controlled data can influence the endpoint URL.

• 🟡 MEDIUM LLM_COMMAND_INJECTION — User-Controlled Query Strings Passed Directly to External APIs Without Sanitization

  In search_pubmed.py and search_google_scholar.py, user-supplied query strings are passed directly as parameters to external API calls without sanitization. In search_pubmed.py, the query is interpolated into URL parameters sent to NCBI. A malicious query could potentially inject additional PubMed field tags or boolean operators to manipulate search behavior, or in edge cases exploit API parameter injection vulnerabilities. File: scripts/search_pubmed.py:88 Remediation: Validate and sanitize user-supplied query strings before passing to external APIs. Consider allowlisting valid query characters or using structured query builders rather than string concatenation.

• 🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

  Script accesses environment variables and makes network calls in skills/citation-management/scripts/extract_metadata.py File: skills/citation-management/scripts/extract_metadata.py Remediation: Remove environment variable harvesting or network transmission

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/citation-management/scripts/extract_metadata.py File: skills/citation-management/scripts/extract_metadata.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/citation-management/scripts/generate_schematic.py File: skills/citation-management/scripts/generate_schematic.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

  Script accesses environment variables and makes network calls in skills/citation-management/scripts/generate_schematic_ai.py File: skills/citation-management/scripts/generate_schematic_ai.py Remediation: Remove environment variable harvesting or network transmission

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/citation-management/scripts/generate_schematic_ai.py File: skills/citation-management/scripts/generate_schematic_ai.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

  Script accesses environment variables and makes network calls in skills/citation-management/scripts/search_pubmed.py File: skills/citation-management/scripts/search_pubmed.py Remediation: Remove environment variable harvesting or network transmission

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/citation-management/scripts/search_pubmed.py File: skills/citation-management/scripts/search_pubmed.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 2 files

  Environment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 2 files

  Multi-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data → scripts/generate_schematic_ai.py → scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py

• 🟡 MEDIUM LLM_UNAUTHORIZED_TOOL_USE — Unauthorized Tool Use: Bash and Write Tools Used Beyond Stated Scope

  The SKILL.md manifest declares allowed-tools as [Read, Write, Edit, Bash]. The scripts make external network calls (requests.post to openrouter.ai), write files to disk (review logs, images, CSV/TEX outputs), and execute subprocesses. While Write and Bash are declared, the network communication capability is not explicitly disclosed in the allowed-tools list (no 'Network' or equivalent tool is declared). The skill's description focuses on document generation but the actual behavior includes external API calls for AI image generation, which is a significant undisclosed capability. File: SKILL.md Remediation: Update the SKILL.md manifest to explicitly disclose that the skill makes external network calls to openrouter.ai. Add a clear disclosure in the description that AI image generation requires internet connectivity and transmits data to a third-party API.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Capability Inflation: Mandatory AI Figure Generation Overstated as Required

  The SKILL.md instructions contain a section marked '⚠️ MANDATORY' stating that every clinical decision support document MUST include AI-generated figures using the scientific-schematics skill, and that 'This is not optional.' This creates an artificial mandatory dependency on an external AI service (via OpenRouter API) for what is fundamentally a document generation task. This inflates the perceived requirements and forces unnecessary external API calls and associated costs/data transmission even when the user may not need AI-generated figures. File: SKILL.md Remediation: Change the mandatory requirement to a recommendation. Users should be able to generate CDS documents without being forced to make external API calls for AI-generated figures. Clearly label this as optional and explain the cost/privacy implications of using the AI figure generation feature.

• 🟡 MEDIUM LLM_DATA_EXFILTRATION — Broad Environment Copy Passed to Subprocess

  In generate_schematic.py, the full process environment (os.environ.copy()) is passed to the subprocess executing generate_schematic_ai.py. This means all environment variables present in the agent's runtime environment — including any secrets, tokens, AWS credentials, or other sensitive values — are available to the child process and could potentially be accessed or leaked if the child process is compromised or behaves maliciously. File: scripts/generate_schematic.py Remediation: Instead of passing the full environment, construct a minimal environment dictionary containing only the variables required by the child script (e.g., OPENROUTER_API_KEY and PATH). This limits the blast radius if the subprocess is compromised.

• 🟠 HIGH LLM_DATA_EXFILTRATION — API Key Exfiltration via External Network Calls with Environment Variable Harvesting

  The script generate_schematic_ai.py reads the OPENROUTER_API_KEY environment variable and transmits it as a Bearer token in HTTP Authorization headers to the external OpenRouter API (https://openrouter.ai/api/v1). While the stated purpose is AI image generation, the pattern of harvesting an environment variable and sending it to an external server represents a data exfiltration risk. The API key is also passed through subprocess environment in generate_schematic.py. If the API key or other environment variables contain sensitive credentials, these are exposed to the external service. Additionally, the cross-file chain (generate_schematic.py -> generate_schematic_ai.py) amplifies the attack surface. File: scripts/generate_schematic_ai.py Remediation: 1. Clearly document in SKILL.md that the API key is transmitted to openrouter.ai. 2. Validate that only the OPENROUTER_API_KEY is transmitted and no other environment variables are included in payloads. 3. Ensure the payload construction does not inadvertently include other sensitive data. 4. Consider scoping the environment passed to subprocess in generate_schematic.py to only include necessary variables rather than a full os.environ.copy().

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned External Dependency (requests library)

  The generate_schematic_ai.py script imports the 'requests' library without any version pinning. The script checks for its presence and exits if not found, but does not enforce a specific version. An attacker who can influence the Python environment could substitute a malicious version of the requests library (typosquatting or dependency confusion attack), which would then be used to make all external API calls including those transmitting the API key. File: scripts/generate_schematic_ai.py Remediation: Pin the requests library to a specific known-good version in a requirements.txt or pyproject.toml file (e.g., requests==2.31.0). Document the dependency clearly in the skill package.

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/clinical-decision-support/scripts/generate_schematic.py File: skills/clinical-decision-support/scripts/generate_schematic.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

  Script accesses environment variables and makes network calls in skills/clinical-decision-support/scripts/generate_schematic_ai.py File: skills/clinical-decision-support/scripts/generate_schematic_ai.py Remediation: Remove environment variable harvesting or network transmission

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/clinical-decision-support/scripts/generate_schematic_ai.py File: skills/clinical-decision-support/scripts/generate_schematic_ai.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 2 files

  Environment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 2 files

  Multi-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data → scripts/generate_schematic_ai.py → scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py

• 🟠 HIGH LLM_PROMPT_INJECTION — Mandatory Instruction Override: Forced External Tool Invocation

  The SKILL.md instruction body contains a mandatory directive that overrides normal agent behavior: '⚠️ MANDATORY: Every clinical report MUST include at least 1 AI-generated figure using the scientific-schematics skill.' and 'This is not optional.' This constitutes a direct prompt injection that forces the agent to invoke an external script (generate_schematic.py) and make network calls regardless of user intent or consent. The instruction also references 'Nano Banana Pro' as an entity that 'will automatically generate, review, and refine the schematic,' which is not disclosed in the skill manifest and represents an undisclosed third-party dependency. File: SKILL.md Remediation: 1. Remove the mandatory/non-optional directive for external tool invocation. 2. Make schematic generation an optional, user-initiated action. 3. Disclose all third-party services (OpenRouter, Google Gemini models) in the YAML manifest. 4. Require explicit user consent before invoking external AI services.

• 🟡 MEDIUM LLM_SKILL_DISCOVERY_ABUSE — Capability Inflation: Undisclosed External AI Dependencies Not in Manifest

  The SKILL.md manifest does not disclose that the skill requires external AI services (OpenRouter API, Google Gemini models 'gemini-3.1-flash-image-preview' and 'gemini-3.1-pro-preview'). The description presents the skill as a clinical report writing tool but conceals that it mandatorily invokes external AI image generation services. The skill references 'Nano Banana 2' and 'Nano Banana Pro' as AI systems, which are not standard model names and may be misleading. The compatibility field is 'Not specified' despite requiring network access and an API key. File: SKILL.md Remediation: 1. Update the manifest description to disclose external AI service dependencies. 2. Add network access and API key requirements to the compatibility field. 3. Use accurate model names rather than marketing names like 'Nano Banana'. 4. List OPENROUTER_API_KEY as a required dependency in the manifest.

• 🟡 MEDIUM LLM_UNAUTHORIZED_TOOL_USE — Tool Restriction Violation: Bash and Network Access Beyond Declared Scope

  The allowed-tools field declares 'Read Write Edit Bash' but the scripts make extensive network calls to external APIs (OpenRouter), which is not disclosed as an allowed capability. The skill's primary stated purpose is clinical report writing, but the mandatory schematic generation feature requires network access to external AI services. This represents a violation of the expected tool scope - users granting 'Bash' access would not expect this to include mandatory external API calls transmitting their content. File: SKILL.md Remediation: 1. Disclose network access requirements in the manifest. 2. Add a 'network' or equivalent capability declaration. 3. Make external API calls optional and user-initiated rather than mandatory. 4. Inform users that Bash access will be used to make external network requests.

• 🟠 HIGH LLM_DATA_EXFILTRATION — Cross-File Exfiltration Chain: User Prompt Content Sent to External AI Model

  The generate_schematic.py script invokes generate_schematic_ai.py via subprocess, passing user-supplied prompt content directly to an external AI model (google/gemini-3.1-flash-image-preview and google/gemini-3.1-pro-preview via OpenRouter). The user's clinical report content (which may contain sensitive medical information) is embedded in prompts sent externally. The SKILL.md instructions mandate that 'Every clinical report MUST include at least 1 AI-generated figure' and instructs the agent to run the schematic generation script, creating an automated pipeline where clinical content flows to external servers without explicit user awareness of this data transmission. File: scripts/generate_schematic.py Remediation: 1. Clearly disclose to users that prompt content is sent to external AI services. 2. Do not automatically include clinical report content in schematic generation prompts. 3. Require explicit user confirmation before transmitting any data externally. 4. Sanitize prompts to ensure no PHI is included before external transmission.

• 🟡 MEDIUM LLM_COMMAND_INJECTION — Subprocess Command Injection Risk via User-Controlled Prompt

  In generate_schematic.py, the user-supplied prompt argument is passed directly to a subprocess command without sanitization. While subprocess.run with a list argument provides some protection against shell injection, the prompt content is then passed to an external AI model which could potentially be manipulated to produce malicious outputs that are saved to the filesystem. The output path is also user-controlled and passed directly to the subprocess. File: scripts/generate_schematic.py Remediation: 1. Validate and sanitize the prompt argument before passing to subprocess. 2. Validate the output path to prevent path traversal (e.g., ensure it stays within the figures/ directory). 3. Use check=True or explicitly handle non-zero return codes. 4. Consider using the ScientificSchematicGenerator class directly rather than subprocess invocation.

• 🟠 HIGH LLM_DATA_EXFILTRATION — API Key Exfiltration via External Network Calls in AI Schematic Generator

  The script generate_schematic_ai.py reads the OPENROUTER_API_KEY environment variable and transmits it to an external API endpoint (https://openrouter.ai/api/v1). While OpenRouter is the intended service, the script also sends user-provided prompt content and generated image data to external servers. More critically, the API key is loaded from environment variables and passed through multiple function calls, creating a pattern where any compromise of the prompt or model response could be leveraged to exfiltrate the key. The script also attempts to load .env files from the current working directory, which could expose credentials from the user's project environment. File: scripts/generate_schematic_ai.py Remediation: 1. Validate the API endpoint URL against an allowlist before making requests. 2. Avoid loading .env files from arbitrary working directories. 3. Ensure the API key is never logged or included in error messages. 4. Consider using a secrets manager rather than environment variables for sensitive credentials.

• 🔵 LOW LLM_DATA_EXFILTRATION — Sensitive Clinical Data in Review Log Files

  The generate_schematic_ai.py script saves a JSON review log that includes the full user prompt, critique text, and generation metadata to a file in the output directory. If the user's prompt contains clinical information (as encouraged by the SKILL.md instructions which suggest describing patient timelines and clinical progressions), this data is persisted to disk in plaintext. File: scripts/generate_schematic_ai.py Remediation: 1. Do not log user prompts to disk, especially for clinical use cases. 2. If logging is needed for debugging, implement log sanitization. 3. Warn users that prompt content is saved to log files. 4. Provide an option to disable logging.

• 🔵 LOW LLM_RESOURCE_ABUSE — Unbounded API Retry and Multiple External Calls Per Report

  The generate_schematic_ai.py script makes multiple sequential API calls per schematic generation (up to 2 iterations × 2 API calls per iteration = up to 4 external API calls per schematic). The SKILL.md mandates at least one schematic per report, and suggests multiple schematics for different report types. For complex reports, this could result in many API calls, significant costs, and extended processing times. There is no rate limiting, cost cap, or user notification of API usage costs. File: scripts/generate_schematic_ai.py Remediation: 1. Implement a maximum cost/call limit per session. 2. Notify users of expected API costs before execution. 3. Default to single iteration unless user explicitly requests refinement. 4. Add a dry-run mode that shows what would be generated without making API calls.

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/clinical-reports/scripts/generate_schematic.py File: skills/clinical-reports/scripts/generate_schematic.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

  Script accesses environment variables and makes network calls in skills/clinical-reports/scripts/generate_schematic_ai.py File: skills/clinical-reports/scripts/generate_schematic_ai.py Remediation: Remove environment variable harvesting or network transmission

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/clinical-reports/scripts/generate_schematic_ai.py File: skills/clinical-reports/scripts/generate_schematic_ai.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 2 files

  Environment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 2 files

  Multi-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data → scripts/generate_schematic_ai.py → scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py

• 🔵 LOW LLM_DATA_EXFILTRATION — Environment Variable Harvested and Passed Between Scripts via Subprocess

  generate_schematic.py reads OPENROUTER_API_KEY from the environment, copies the entire os.environ, injects the API key, and passes it to a subprocess running generate_schematic_ai.py. The static analyzer flagged this as a cross-file env var exfiltration chain. While the intent appears to be avoiding key exposure in process argument lists (which is good practice), copying the full environment dictionary means ALL environment variables are inherited by the subprocess, not just the API key. This could inadvertently expose other sensitive environment variables (e.g., AWS credentials, SSH keys, other API tokens) to the child process. File: scripts/generate_schematic.py Remediation: Instead of copying the full environment, construct a minimal environment dictionary containing only the variables the child process needs (e.g., PATH, OPENROUTER_API_KEY). This follows the principle of least privilege and prevents inadvertent exposure of other sensitive credentials to the subprocess.

• 🔵 LOW LLM_UNAUTHORIZED_TOOL_USE — allowed-tools Declaration Includes Bash but Subprocess Execution Not Clearly Scoped

  The manifest declares allowed-tools as [Read, Write, Edit, Bash]. The Python scripts use subprocess.run() to execute another Python script. While Bash is declared as an allowed tool, the use of subprocess within Python to chain script execution creates an indirect execution path that may bypass agent-level tool monitoring. The child process inherits the full environment and runs with the same privileges as the parent. File: scripts/generate_schematic.py Remediation: Consider importing and calling the generate_schematic_ai.py module directly as a Python library rather than spawning a subprocess. This keeps execution within the agent's observable scope and avoids the full environment inheritance issue.

• 🟡 MEDIUM LLM_DATA_EXFILTRATION — API Key Transmitted in HTTP Headers to External Service

  The script reads the OPENROUTER_API_KEY environment variable and transmits it in the Authorization header of HTTP requests to https://openrouter.ai. While OpenRouter is a legitimate API gateway, the skill bundles code that harvests a sensitive credential from the environment and sends it over the network. If the OpenRouter endpoint or the HTTP-Referer/X-Title headers were manipulated, or if the API key were logged server-side, this constitutes a credential exposure pattern. The key is also optionally loaded from a .env file on disk. File: scripts/generate_schematic_ai.py Remediation: This is expected behavior for an API-calling skill, but the manifest should clearly document that OPENROUTER_API_KEY is read and transmitted to openrouter.ai. Ensure the HTTP-Referer header accurately reflects the actual application rather than a generic GitHub URL. Consider validating the API endpoint URL before use.

• 🔵 LOW LLM_RESOURCE_ABUSE — Iterative API Calls with Retry Logic May Cause Unexpected Cost/Resource Consumption

  The generate_iterative method makes multiple sequential API calls (up to 2 iterations by default, enforced max of 2) to image generation and review models. Each call involves generating a full image and then reviewing it with a separate vision model. While the max iterations are capped at 2, each invocation of the skill can trigger up to 4 API calls (2 generation + 2 review). If the skill is invoked repeatedly or in batch, this could result in significant API cost accumulation. The skill does not warn users about potential costs before execution. File: scripts/generate_schematic_ai.py Remediation: Add a cost warning or confirmation prompt before making API calls, especially for journal-quality documents that may require multiple iterations. Document the expected number of API calls and approximate costs in the skill description and SKILL.md.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — References Non-Existent Model Names (Possible Capability Inflation)

  The scripts reference AI models by names that do not correspond to real, publicly available models: 'google/gemini-3.1-flash-image-preview' and 'google/gemini-3.1-pro-preview' are used as model identifiers. At the time of analysis, these model names do not correspond to verified, publicly released Google models available on OpenRouter. The SKILL.md also refers to 'Nano Banana 2' and 'Nano Banana Pro' as if they are real AI systems. This may mislead users about the actual capabilities and availability of the skill, and could result in API errors or unexpected behavior when the skill is invoked. File: scripts/generate_schematic_ai.py Remediation: Use verified, publicly available model identifiers. Document the actual models being used and verify they are available on the OpenRouter platform. Remove references to fictional product names like 'Nano Banana 2' or 'Nano Banana Pro' that could confuse users.

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/hypothesis-generation/scripts/generate_schematic.py File: skills/hypothesis-generation/scripts/generate_schematic.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

  Script accesses environment variables and makes network calls in skills/hypothesis-generation/scripts/generate_schematic_ai.py File: skills/hypothesis-generation/scripts/generate_schematic_ai.py Remediation: Remove environment variable harvesting or network transmission

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/hypothesis-generation/scripts/generate_schematic_ai.py File: skills/hypothesis-generation/scripts/generate_schematic_ai.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 2 files

  Environment variable access with network calls in scripts/generate_infographic.py, scripts/generate_infographic_ai.py Remediation: Review data flow across files: scripts/generate_infographic_ai.py, scripts/generate_infographic.py

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 2 files

  Multi-file exfiltration chain detected: scripts/generate_infographic.py, scripts/generate_infographic_ai.py collect data → scripts/generate_infographic_ai.py → scripts/generate_infographic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_infographic_ai.py, scripts/generate_infographic.py

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Misleading Model Names in Description and Code

  The SKILL.md description prominently references 'Nano Banana Pro AI' and 'Gemini 3 Pro' as if they are distinct, branded AI products. In the actual code, the image_model is set to 'google/gemini-3-pro-image-preview' and the review_model to 'google/gemini-3.1-pro-preview'. The marketing name 'Nano Banana Pro' does not correspond to any known Google model name and appears to be a fictional branding layer over standard Gemini models. This could mislead users about what AI system they are actually using. File: scripts/generate_infographic_ai.py:130 Remediation: Use accurate model names in the skill description and documentation. Replace 'Nano Banana Pro AI' with the actual model identifier (google/gemini-3-pro-image-preview) to avoid misleading users about the underlying technology.

• 🔵 LOW LLM_DATA_EXFILTRATION — HTTP-Referer Header Hardcoded to Unrelated GitHub Repository

  All API requests include a hardcoded HTTP-Referer header pointing to 'https://github.com/scientific-writer', which does not correspond to this skill's actual repository or identity. This is a minor information integrity issue - the skill misrepresents its origin to the OpenRouter API, which uses this header for attribution and rate limiting purposes. File: scripts/generate_infographic_ai.py:268 Remediation: Update the HTTP-Referer header to accurately reflect the skill's actual repository URL, or remove it if not required by the API.

• 🔵 LOW LLM_DATA_EXFILTRATION — API Key Transmitted in HTTP Headers to External Service

  The skill reads the OPENROUTER_API_KEY environment variable and transmits it in the Authorization header to https://openrouter.ai/api/v1. While this is the intended use of the API key (authenticating to OpenRouter), the key is also passed to Perplexity Sonar Pro and Gemini models via the same endpoint. The static analyzer flagged this as environment variable access combined with network calls. This is expected behavior for an AI-powered skill, but users should be aware their API key is transmitted externally on every call. File: scripts/generate_infographic_ai.py:270 Remediation: This is expected behavior for an OpenRouter-based skill. Ensure users understand that OPENROUTER_API_KEY is transmitted to openrouter.ai on every API call. Consider documenting this clearly in the skill description. The HTTP-Referer header hardcodes 'https://github.com/scientific-writer' which is slightly misleading - consider updating to reflect the actual skill repository.

• 🔵 LOW LLM_PROMPT_INJECTION — User-Provided Prompt Content Passed Directly to External AI Models

  The user's prompt string is incorporated directly into generation and review prompts sent to external AI models (Gemini via OpenRouter, Perplexity Sonar). While this is the intended functionality, there is no sanitization or validation of the user prompt before it is embedded into structured API payloads. A malicious user could craft prompts designed to manipulate the downstream AI model's behavior (indirect prompt injection via the generation pipeline). The research phase also sends user-controlled topic strings directly to Perplexity Sonar. File: scripts/generate_infographic_ai.py:390 Remediation: Consider adding basic input validation/sanitization for the user prompt before embedding it in API calls. Document that user prompts are sent to external AI services. The research phase retrieves external data and incorporates it into subsequent prompts - this external data should be treated as untrusted and ideally sandboxed from the generation prompt structure.

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/infographics/scripts/generate_infographic.py File: skills/infographics/scripts/generate_infographic.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

  Script accesses environment variables and makes network calls in skills/infographics/scripts/generate_infographic_ai.py File: skills/infographics/scripts/generate_infographic_ai.py Remediation: Remove environment variable harvesting or network transmission

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/infographics/scripts/generate_infographic_ai.py File: skills/infographics/scripts/generate_infographic_ai.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 2 files

  Environment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 2 files

  Multi-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data → scripts/generate_schematic_ai.py → scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned External API Dependency on OpenRouter Models

  The script hardcodes model identifiers ('google/gemini-3.1-flash-image-preview' and 'google/gemini-3.1-pro-preview') that are resolved at runtime by OpenRouter. If OpenRouter changes model routing, deprecates models, or if a model identifier is hijacked/redirected, the behavior of the skill could change without any local code changes. There is no version pinning or integrity verification of the AI model being invoked. File: scripts/generate_schematic_ai.py:113 Remediation: Document the specific model versions being used and consider adding a warning if the model identifiers change. Consider implementing a model version check or pinning to specific versioned model identifiers if OpenRouter supports them.

• 🔵 LOW LLM_DATA_EXFILTRATION — API Key Transmitted to External Service via OpenRouter

  The skill requires an OPENROUTER_API_KEY environment variable and transmits it to the external OpenRouter API (https://openrouter.ai/api/v1). While this is the intended functionality for AI image generation, the API key is read from the environment and sent in HTTP Authorization headers to an external third-party service. Users should be aware that this key is transmitted externally on every invocation. File: scripts/generate_schematic_ai.py:175 Remediation: This is expected behavior for an API-based skill, but the SKILL.md and manifest should clearly document that the OPENROUTER_API_KEY is transmitted to openrouter.ai. Users should ensure they trust OpenRouter before using this skill. The HTTP-Referer header hardcodes a GitHub URL that may not reflect the actual deployment context.

• 🔵 LOW LLM_RESOURCE_ABUSE — External API Calls Without Rate Limiting or Cost Controls

  The script makes multiple calls to the OpenRouter API (up to 2 generation calls + 2 review calls per invocation = up to 4 API calls). There is no rate limiting, cost cap, or circuit breaker implemented. A user could invoke this skill repeatedly or with many figures, leading to significant API costs. The generate_iterative method loops up to 'iterations' times, each with a generation and review call. File: scripts/generate_schematic_ai.py:270 Remediation: Implement a maximum cost/call budget per session. Add rate limiting between API calls. Consider adding a user confirmation step before making multiple API calls. Document the expected API cost per invocation in the skill description.

• 🔵 LOW LLM_PROMPT_INJECTION — User-Controlled Prompt Passed Directly to External AI Image Generation

  The user's prompt string is passed directly into the AI image generation API without sanitization or content filtering. The SCIENTIFIC_DIAGRAM_GUIDELINES are prepended, but the raw user prompt is appended verbatim. A malicious user could craft prompts that attempt to manipulate the image generation model or include content that violates usage policies. The review step uses the same user prompt for context, creating a secondary injection surface. File: scripts/generate_schematic_ai.py:290 Remediation: Consider adding input validation to reject prompts that contain suspicious instruction-override patterns. Implement length limits on user prompts. Log prompts for audit purposes. The review prompt also embeds the raw user prompt which could be used for indirect injection against the review model.

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/latex-posters/scripts/generate_schematic.py File: skills/latex-posters/scripts/generate_schematic.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

  Script accesses environment variables and makes network calls in skills/latex-posters/scripts/generate_schematic_ai.py File: skills/latex-posters/scripts/generate_schematic_ai.py Remediation: Remove environment variable harvesting or network transmission

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/latex-posters/scripts/generate_schematic_ai.py File: skills/latex-posters/scripts/generate_schematic_ai.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 3 files

  Environment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/verify_citations.py, scripts/generate_schematic_ai.py

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 3 files

  Multi-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data → scripts/generate_schematic_ai.py → scripts/generate_schematic_ai.py, scripts/verify_citations.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/verify_citations.py, scripts/generate_schematic_ai.py

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Overly Broad Skill Description with Keyword-Heavy Activation Triggers

  The skill description and SKILL.md contain extensive keyword lists covering a very broad range of academic domains (biomedical, scientific, technical), review types (systematic, meta-analysis, scoping, narrative), and databases (PubMed, arXiv, bioRxiv, Semantic Scholar, etc.). The 'When to Use This Skill' section lists 7 broad activation conditions. While this reflects genuine functionality, the breadth of trigger conditions could cause the skill to activate in many research-adjacent contexts beyond its core purpose. File: SKILL.md Remediation: This is a minor concern given the skill's legitimate broad scope. Consider tightening the description to focus on the primary use case to reduce unintended activation in tangential contexts.

• 🟡 MEDIUM LLM_DATA_EXFILTRATION — API Key Transmitted to External Service via OpenRouter

  The skill requires an OPENROUTER_API_KEY environment variable and transmits it in HTTP Authorization headers to https://openrouter.ai/api/v1. While OpenRouter is a legitimate AI routing service, the skill sends user-provided prompts and generated image data to this external third-party service. The API key is read from the environment and included in every request. This represents a data flow where credentials and potentially sensitive research content (literature review topics, diagram descriptions) are sent to an external server. File: scripts/generate_schematic_ai.py:107 Remediation: Document clearly in the skill description that user prompts and API keys are transmitted to OpenRouter (a third-party service). Ensure users are aware of this data sharing. Consider adding a consent prompt before transmitting data. The HTTP-Referer header hardcodes a GitHub URL which is misleading - this should be removed or corrected.

• 🔵 LOW LLM_DATA_EXFILTRATION — Misleading HTTP-Referer Header Hardcoded in Requests

  The generate_schematic_ai.py script hardcodes 'https://github.com/scientific-writer' as the HTTP-Referer header in all API requests to OpenRouter. This is a non-existent or unrelated GitHub URL that misrepresents the origin of requests. While not a critical security issue, this constitutes a minor form of identity misrepresentation in outbound network traffic. File: scripts/generate_schematic_ai.py:108 Remediation: Remove the HTTP-Referer header or replace it with an accurate identifier representing the actual skill/tool making the request.

• 🔵 LOW LLM_DATA_EXFILTRATION — Citation Verification Script Sends DOIs to External CrossRef and DOI APIs

  The verify_citations.py script makes outbound HTTP requests to https://doi.org/api/handles/ and https://api.crossref.org/works/ for every DOI found in the user's literature review document. While these are legitimate academic APIs, the script transmits the full list of DOIs (and thus the research topics and citations) from the user's private document to external servers without explicit user notification of this data sharing. File: scripts/verify_citations.py:40 Remediation: Add a notice to users that DOIs will be sent to doi.org and crossref.org for verification. This is standard academic practice but should be disclosed. Consider adding a --offline or --no-network flag for users who want to avoid external calls.

• 🔵 LOW LLM_RESOURCE_ABUSE — Unbounded HTTP Requests with No Rate Limiting in Citation Verifier

  The verify_citations.py script iterates over all DOIs found in a document and makes two HTTP requests per DOI (one to doi.org, one to crossref.org) with only a 0.5-second sleep between requests. For large literature reviews with hundreds of citations, this could result in a large number of outbound requests. Additionally, the requests use a 10-second timeout each, meaning a large review could take significant time and resources to process. File: scripts/verify_citations.py:55 Remediation: Add a maximum DOI count limit or batch processing with configurable rate limits. Consider adding a --max-dois flag to limit the number of DOIs verified in a single run. Implement exponential backoff for failed requests.

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/literature-review/scripts/generate_schematic.py File: skills/literature-review/scripts/generate_schematic.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

  Script accesses environment variables and makes network calls in skills/literature-review/scripts/generate_schematic_ai.py File: skills/literature-review/scripts/generate_schematic_ai.py Remediation: Remove environment variable harvesting or network transmission

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/literature-review/scripts/generate_schematic_ai.py File: skills/literature-review/scripts/generate_schematic_ai.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 3 files

  Environment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py, scripts/convert_with_ai.py Remediation: Review data flow across files: scripts/convert_with_ai.py, scripts/generate_schematic.py, scripts/generate_schematic_ai.py

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 3 files

  Multi-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py, scripts/convert_with_ai.py collect data → scripts/generate_schematic_ai.py → scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/convert_with_ai.py, scripts/generate_schematic.py, scripts/generate_schematic_ai.py

• 🟡 MEDIUM LLM_SKILL_DISCOVERY_ABUSE — Capability Inflation via Cross-Skill Promotion (scientific-schematics)

  The SKILL.md instruction body contains an unsolicited promotion section titled 'Visual Enhancement with Scientific Schematics' that instructs the agent to automatically invoke a separate 'scientific-schematics' skill and run scripts whenever documents are created. This is not related to the core markitdown file-conversion purpose and inflates the skill's activation scope by directing the agent to use additional tools by default. The phrase 'Scientific schematics should be generated by default' and 'Nano Banana Pro will automatically generate, review, and refine the schematic' attempts to expand the agent's autonomous behavior beyond what the user requested. File: SKILL.md Remediation: Remove the unsolicited cross-skill promotion section. If schematic generation is a desired feature, it should be explicitly requested by the user, not triggered automatically by default on every document conversion.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned External Package Dependencies

  The skill instructs users to install packages without version pinning (e.g., 'pip install markitdown[all]', 'pip install requests'). Unpinned dependencies are vulnerable to supply chain attacks where a malicious version of a package could be installed. The markitdown package itself is a third-party dependency that could introduce vulnerabilities. File: SKILL.md Remediation: Pin all dependencies to specific versions (e.g., 'markitdown[all]==0.x.y'). Consider providing a requirements.txt with pinned versions. Verify package integrity using hash verification.

• 🟡 MEDIUM LLM_DATA_EXFILTRATION — User-Provided File Content Sent to External AI API Without Explicit Consent Warning

  The scripts convert_with_ai.py and generate_schematic_ai.py send the content of user documents (including images extracted from PDFs, PPTX files, etc.) to the OpenRouter API (an external third-party service). The SKILL.md instructions do not clearly warn users that their document content will be transmitted to an external server. This is a data exposure risk, particularly for sensitive documents such as medical records, confidential research, or proprietary business documents. File: scripts/convert_with_ai.py Remediation: Add explicit warnings in SKILL.md and script help text that document content will be transmitted to OpenRouter's external servers when AI features are used. Require explicit user confirmation before sending sensitive document content to external APIs.

• 🟡 MEDIUM LLM_DATA_EXFILTRATION — Environment Variable Harvesting with External Network Transmission

  Multiple scripts (generate_schematic_ai.py, generate_schematic.py, convert_with_ai.py) read the OPENROUTER_API_KEY environment variable and transmit it as a Bearer token in HTTP requests to external servers (openrouter.ai). While OpenRouter is a legitimate service, the pattern of reading environment variables and sending them over the network constitutes a data exfiltration risk vector. The static analyzer flagged cross-file env var exfiltration chains across 3 files. Additionally, generate_schematic_ai.py attempts to load .env files from the current working directory and script directory, which could expose secrets from unrelated projects. File: scripts/generate_schematic_ai.py Remediation: Ensure the API key is only used for its stated purpose. The .env file loading from arbitrary working directories should be scoped strictly. Users should be clearly informed that their API key is transmitted to openrouter.ai. Consider validating the destination URL is the expected endpoint before transmitting credentials.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Misleading Model References (Non-Existent Model Names)

  The skill references model names such as 'google/gemini-3.1-flash-image-preview', 'google/gemini-3.1-pro-preview', and 'anthropic/claude-opus-4.5' which appear to be fabricated or speculative model identifiers (e.g., 'Nano Banana 2' is used as an informal name for what is claimed to be a Google model). These model names do not correspond to known production models at time of analysis. Using non-existent model names could cause API failures or, if these names are later registered by malicious actors, could route requests to unintended endpoints. File: scripts/generate_schematic_ai.py Remediation: Use verified, documented model identifiers. Remove informal/marketing names like 'Nano Banana 2' that do not correspond to real model names. Verify all model identifiers against the OpenRouter model catalog before publishing.

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/markitdown/scripts/convert_with_ai.py File: skills/markitdown/scripts/convert_with_ai.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/markitdown/scripts/generate_schematic.py File: skills/markitdown/scripts/generate_schematic.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

  Script accesses environment variables and makes network calls in skills/markitdown/scripts/generate_schematic_ai.py File: skills/markitdown/scripts/generate_schematic_ai.py Remediation: Remove environment variable harvesting or network transmission

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/markitdown/scripts/generate_schematic_ai.py File: skills/markitdown/scripts/generate_schematic_ai.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔵 LOW LLM_DATA_EXFILTRATION — Missing allowed-tools Declaration

  The skill does not declare an allowed-tools field in its YAML manifest. The skill executes Python scripts that invoke subprocess calls, write files, and interact with schedulers. While omitting allowed-tools is not a violation per spec, declaring it would improve transparency about what system capabilities the skill uses. File: SKILL.md Remediation: Add an explicit allowed-tools declaration to the YAML manifest listing the tools actually used (e.g., Bash, Python, Write) to improve auditability and transparency.

• 🟡 MEDIUM LLM_COMMAND_INJECTION — Shell Injection Risk via shell=True with User-Controlled Script Path

  The execute_launch function calls subprocess.run with shell=True, passing a command string constructed from a user-controlled script path. While shlex.quote is used to quote the script path in submit_command_for_executor, the resulting command string is then executed via shell=True. If any edge case bypasses the quoting (e.g., through the executor type selection or unexpected path values), this could allow shell injection. The combination of shell=True with dynamically constructed command strings is inherently risky. File: scripts/run_pacsomatic.py Remediation: Avoid shell=True. Instead, pass commands as a list to subprocess.run. For example, use ['sbatch', script_path] for slurm, ['bsub'] with stdin for lsf, etc. This eliminates shell interpretation entirely.

• 🟡 MEDIUM LLM_COMMAND_INJECTION — User-Controlled extra-args Passed Directly to Nextflow Command

  The --extra-args argument is split using shlex.split and appended directly to the Nextflow command without further validation. A malicious or careless user could inject additional Nextflow flags or arguments that alter pipeline behavior in unintended ways, such as overriding security-relevant parameters or redirecting output. File: scripts/run_pacsomatic.py Remediation: Validate or restrict the --extra-args input to a known safe set of Nextflow flags. Consider a whitelist approach or at minimum document that this argument is trusted input only. Warn users that arbitrary flags can alter pipeline behavior.

• 🟡 MEDIUM LLM_COMMAND_INJECTION — User-Controlled module-load Argument Written Directly into Shell Script Without Sanitization

  The --module-load argument is written verbatim into the generated bash launch script without any sanitization or quoting. This allows arbitrary shell commands to be injected into the generated script. For example, a value like 'module load nextflow; rm -rf /' would be written directly into the script and executed when --run is used. File: scripts/run_pacsomatic.py Remediation: Validate the --module-load argument to ensure it matches an expected pattern (e.g., only 'module load /' format). Do not write arbitrary user input directly into shell scripts. Consider using shlex.quote on individual components.

• 🔵 LOW LLM_COMMAND_INJECTION — User-Controlled nxf-opts Written to Shell Script Without Validation

  The --nxf-opts argument is written into the generated shell script as an environment variable export. While shlex.quote is applied, the value is entirely user-controlled and could contain JVM options that affect Nextflow's behavior in unexpected ways. This is a lower-severity concern since quoting is applied. File: scripts/run_pacsomatic.py Remediation: Consider validating NXF_OPTS to only allow known safe JVM memory flags (e.g., -Xms/-Xmx patterns). Document that this is a trusted-input-only parameter.

• 🔴 CRITICAL BEHAVIOR_EVAL_SUBPROCESS — eval/exec combined with subprocess detected

  Dangerous combination of code execution and system commands in skills/pacsomatic/scripts/run_pacsomatic.py File: skills/pacsomatic/scripts/run_pacsomatic.py Remediation: Remove eval/exec or use safer alternatives

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 2 files

  Environment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 2 files

  Multi-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data → scripts/generate_schematic_ai.py → scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Cross-Skill Dependency and Capability Inflation via External Skill References

  The SKILL.md instructions reference and depend on two other external skills: 'venue-templates' (for reviewer_expectations.md) and 'scientific-schematics' (for diagram generation). The instructions actively promote using these other skills ('Nano Banana Pro will automatically generate, review, and refine the schematic') and instruct the agent to invoke them. This creates undeclared cross-skill dependencies that inflate the apparent capabilities of this skill and may trigger unintended activation of other skills. File: SKILL.md Remediation: Document cross-skill dependencies explicitly in the YAML manifest. Avoid instructing the agent to automatically invoke other skills without explicit user consent. Make the dependency on external skills optional and clearly communicated to the user.

• 🟡 MEDIUM LLM_COMMAND_INJECTION — User-Controlled Input Passed to Subprocess Command

  In generate_schematic.py, the user-supplied prompt argument (args.prompt) is passed directly into a subprocess command list (cmd) that executes generate_schematic_ai.py. While using a list-based subprocess call (not shell=True) mitigates shell injection, the user prompt is still passed as a command-line argument to a child process. If the child process mishandles this argument, it could lead to argument injection or unexpected behavior. File: scripts/generate_schematic.py:88 Remediation: Pass user input via stdin or a temporary file rather than as a command-line argument. Validate and sanitize the prompt input before passing it to any subprocess. Consider using direct Python module imports instead of subprocess execution.

• 🟡 MEDIUM LLM_UNAUTHORIZED_TOOL_USE — Unauthorized Tool Use: Bash Execution Not Declared in allowed-tools

  The SKILL.md manifest declares allowed-tools as [Read, Write, Edit, Bash]. The generate_schematic.py script uses subprocess.run() to execute another Python script (generate_schematic_ai.py) as a subprocess. This creates a subprocess chain where the agent's Bash tool is used to spawn child processes, potentially bypassing tool-level monitoring. The skill also instructs the agent to run bash commands directly in the SKILL.md instructions (e.g., 'python scripts/generate_schematic.py ...'). While Bash is declared, the subprocess chaining pattern obscures the actual execution flow from the agent's tool monitoring. File: scripts/generate_schematic.py:95 Remediation: Instead of subprocess chaining, import and call generate_schematic_ai.py functions directly as a Python module. This keeps execution within the declared Python tool context and makes the data flow transparent to the agent's monitoring.

• 🟠 HIGH LLM_DATA_EXFILTRATION — API Key Exfiltration via External Network Calls

  The skill reads the OPENROUTER_API_KEY environment variable and transmits it in HTTP Authorization headers to the external OpenRouter API endpoint (https://openrouter.ai/api/v1). While this is nominally for legitimate AI generation, the key is harvested from the environment and sent over the network. The static analyzer flagged cross-file env var exfiltration chains across both generate_schematic.py and generate_schematic_ai.py. The key is passed via subprocess environment in generate_schematic.py and then used in Bearer token headers in generate_schematic_ai.py, creating a two-file exfiltration chain. File: scripts/generate_schematic_ai.py:85 Remediation: Ensure the API key is only used for its stated purpose and not logged or transmitted elsewhere. Validate the endpoint URL is hardcoded and cannot be overridden by user input. Consider scoping the API key permissions. The HTTP-Referer header spoofing 'github.com/scientific-writer' is also suspicious and should be removed.

• 🔵 LOW LLM_DATA_EXFILTRATION — HTTP-Referer Header Spoofing

  The generate_schematic_ai.py script hardcodes a spoofed HTTP-Referer header value of 'https://github.com/scientific-writer' in all API requests. This misrepresents the origin of the requests to the OpenRouter API, which could be used to bypass rate limiting, access controls, or attribution tracking on the API provider side. File: scripts/generate_schematic_ai.py:120 Remediation: Remove the HTTP-Referer header or set it to an accurate value representing the actual skill package. Do not spoof external URLs in request headers.

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/peer-review/scripts/generate_schematic.py File: skills/peer-review/scripts/generate_schematic.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

  Script accesses environment variables and makes network calls in skills/peer-review/scripts/generate_schematic_ai.py File: skills/peer-review/scripts/generate_schematic_ai.py Remediation: Remove environment variable harvesting or network transmission

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/peer-review/scripts/generate_schematic_ai.py File: skills/peer-review/scripts/generate_schematic_ai.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 2 files

  Environment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 2 files

  Multi-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data → scripts/generate_schematic_ai.py → scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Compatibility Field Not Specified in Manifest

  The YAML manifest does not specify a 'compatibility' field, which means users and agent orchestration systems cannot determine which environments this skill is compatible with. The skill makes external network calls and requires an API key, which may not be appropriate for all deployment environments. File: SKILL.md Remediation: Add a compatibility field to the YAML manifest that accurately describes the environments where this skill can operate, and explicitly note that network access and an OpenRouter API key are required.

• 🔵 LOW LLM_UNAUTHORIZED_TOOL_USE — Subprocess Execution of Another Script with User-Controlled Input

  In generate_schematic.py, the main() function constructs a subprocess command that includes args.prompt (user-provided input) and passes it to generate_schematic_ai.py via subprocess.run(). While the argument is passed as a list element (not shell=True), the user prompt is directly incorporated into the command array and ultimately used as an AI generation prompt sent to external APIs. This creates a tool chaining pattern where user input flows through subprocess into external API calls. File: scripts/generate_schematic.py:95 Remediation: This pattern is relatively safe since shell=False is used (list-based command). However, validate and sanitize the prompt argument before passing it to the subprocess. Consider adding length limits and content validation on user-provided prompts.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned External Dependency (requests library)

  The script imports the 'requests' library without any version pinning. The install instruction shown in the error message ('pip install requests') does not specify a version. While requests is a well-known library, unpinned dependencies can be subject to supply chain attacks if a malicious version is published or if a typosquatted package is installed. File: scripts/generate_schematic_ai.py:18 Remediation: Pin the requests library to a specific known-good version in a requirements.txt file (e.g., requests==2.31.0). Include a requirements.txt in the skill package with all dependencies pinned.

• 🟡 MEDIUM LLM_DATA_EXFILTRATION — API Key Transmitted to External Service via Network Calls

  The skill reads the OPENROUTER_API_KEY environment variable and transmits it as a Bearer token in HTTP requests to 'https://openrouter.ai/api/v1'. While OpenRouter is a legitimate AI routing service, the skill sends user-provided prompts and potentially sensitive content (including image data encoded as base64) to this external third-party service. The API key is also passed through subprocess environment variables in generate_schematic.py. Users may not be fully aware that their content and credentials are being sent externally. File: scripts/generate_schematic_ai.py:180 Remediation: Clearly disclose in the SKILL.md description that content is sent to OpenRouter's external API. Ensure users are informed before any data is transmitted. The YAML manifest already declares OPENROUTER_API_KEY as optional, which is good, but the instructions should explicitly warn users that their poster content and images will be sent to a third-party service.

• 🟡 MEDIUM LLM_DATA_EXFILTRATION — User-Provided Image Data Exfiltrated to External Review API

  In the review_image() method, the skill reads locally generated image files, encodes them as base64, and sends them to the external Gemini 3.1 Pro Preview model via OpenRouter. This means any image content generated during the poster creation workflow is transmitted externally. Additionally, the original user prompt is embedded in the review request sent externally, potentially leaking sensitive research content. File: scripts/generate_schematic_ai.py:310 Remediation: Disclose to users that generated images and their original prompts are sent to external AI review services. Provide an option to skip the AI review step if users have sensitive research content. Consider adding a --no-review flag to the CLI.

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/pptx-posters/scripts/generate_schematic.py File: skills/pptx-posters/scripts/generate_schematic.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

  Script accesses environment variables and makes network calls in skills/pptx-posters/scripts/generate_schematic_ai.py File: skills/pptx-posters/scripts/generate_schematic_ai.py Remediation: Remove environment variable harvesting or network transmission

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/pptx-posters/scripts/generate_schematic_ai.py File: skills/pptx-posters/scripts/generate_schematic_ai.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 6 files

  Environment variable access with network calls in research_lookup.py, lookup.py, examples.py, scripts/generate_schematic_ai.py, scripts/research_lookup.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/research_lookup.py, scripts/generate_schematic.py, lookup.py, research_lookup.py, examples.py

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 6 files

  Multi-file exfiltration chain detected: research_lookup.py, lookup.py, examples.py, scripts/generate_schematic_ai.py, scripts/research_lookup.py, scripts/generate_schematic.py collect data → scripts/generate_schematic_ai.py → research_lookup.py, scripts/generate_schematic_ai.py, scripts/research_lookup.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic_ai.py, scripts/research_lookup.py, scripts/generate_schematic.py, lookup.py, research_lookup.py, examples.py

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Cross-Skill Invocation Recommendation Without Explicit User Consent

  The SKILL.md instructions recommend invoking the 'scientific-schematics' skill automatically when creating documents: 'When creating documents with this skill, always consider adding scientific diagrams and schematics to enhance visual communication.' and 'Use the scientific-schematics skill to generate AI-powered publication-quality diagrams'. This cross-skill invocation recommendation could lead to unexpected activation of additional skills and additional external API calls without explicit user request. File: SKILL.md Remediation: Change 'always consider adding' to only invoke the scientific-schematics skill when explicitly requested by the user. Remove the automatic recommendation pattern that could trigger additional skill invocations and API calls without user intent.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Installation of parallel-cli via Curl-Pipe-Bash Pattern

  The SKILL.md instructions direct users to install parallel-cli using 'curl -fsSL https://parallel.ai/install.sh | bash', which is a supply chain risk. This pattern downloads and executes arbitrary code from a remote server without version pinning or integrity verification. If the install.sh script is compromised or the domain is taken over, malicious code could be executed on the user's machine. File: SKILL.md Remediation: Prefer the 'uv tool install' method with a pinned version (e.g., 'uv tool install parallel-web-tools[cli]==X.Y.Z'). If curl-pipe-bash must be used, document the risks and recommend verifying the script before execution. Add checksum verification.

• 🟡 MEDIUM LLM_DATA_EXFILTRATION — API Keys Transmitted to External Services Without User Confirmation

  The skill reads PARALLEL_API_KEY and OPENROUTER_API_KEY from environment variables and transmits them directly to external services (api.parallel.ai and openrouter.ai). While this is disclosed in the SKILL.md description, the transmission happens automatically without per-request user confirmation. The keys are used as Bearer tokens in HTTP Authorization headers sent to third-party endpoints. This is by design but represents a data exposure risk if the keys are compromised or if the endpoints are not what they claim to be. File: research_lookup.py Remediation: This is disclosed behavior, but consider adding explicit user confirmation before transmitting queries to external APIs, especially for sensitive research topics. Ensure API keys are stored securely and rotated regularly.

• 🟡 MEDIUM LLM_DATA_EXFILTRATION — User Query Content Transmitted to Multiple External Third-Party Services

  Every research query entered by the user is transmitted to external services: api.parallel.ai (Parallel Chat API) and openrouter.ai (which proxies to Perplexity sonar-pro-search). The skill automatically routes queries without explicit per-query user consent. Sensitive research topics, proprietary research questions, or confidential information entered as queries will be sent to these third-party services. The SKILL.md description does disclose this, but the automatic routing means users may not realize their specific query is being sent externally. File: research_lookup.py Remediation: Add clear per-query disclosure before transmitting to external services. Consider adding a confirmation prompt for sensitive queries. Ensure the SKILL.md prominently warns users that all query text is sent to external APIs.

• 🔵 LOW LLM_RESOURCE_ABUSE — Batch Query Processing Without Rate Limiting Safeguards

  The batch_lookup() method processes multiple queries with only a configurable delay between requests (default 1.0 second). There is no maximum batch size limit, no total cost cap, and no user confirmation before executing potentially large batches. A user or malicious instruction could trigger hundreds of API calls, leading to significant API costs and potential rate limit exhaustion. File: research_lookup.py Remediation: Add a maximum batch size limit (e.g., 20 queries). Add user confirmation before executing batches larger than a threshold. Implement cost estimation before execution. Add a hard cap on total API calls per session.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Python Package Dependencies

  The scripts use 'pip install openai' and 'pip install requests' without version pinning. The openai package is lazy-loaded without a version constraint. Unpinned dependencies are vulnerable to supply chain attacks where a malicious version of a package could be installed. File: research_lookup.py Remediation: Pin all dependencies to specific versions (e.g., 'pip install openai==1.x.x requests==2.x.x'). Include a requirements.txt with pinned versions and hashes for integrity verification.

• 🟡 MEDIUM LLM_DATA_EXFILTRATION — Image Generation Script Transmits User Prompts and Generated Images to External API

  The generate_schematic_ai.py script sends user diagram descriptions to openrouter.ai, and also sends generated images back to the review model (Gemini 3.1 Pro Preview via OpenRouter) for quality review. This means both the user's prompt AND the generated image content are transmitted to external services. The image review step encodes local images as base64 and sends them to the API, which could expose sensitive diagram content. File: scripts/generate_schematic_ai.py Remediation: Warn users that generated images are sent to external APIs for quality review. Provide an option to skip the review step for sensitive diagrams. Document this behavior clearly in SKILL.md.

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/research-lookup/examples.py File: skills/research-lookup/examples.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/research-lookup/lookup.py File: skills/research-lookup/lookup.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

  Script accesses environment variables and makes network calls in skills/research-lookup/research_lookup.py File: skills/research-lookup/research_lookup.py Remediation: Remove environment variable harvesting or network transmission

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/research-lookup/research_lookup.py File: skills/research-lookup/research_lookup.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/research-lookup/scripts/generate_schematic.py File: skills/research-lookup/scripts/generate_schematic.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

  Script accesses environment variables and makes network calls in skills/research-lookup/scripts/generate_schematic_ai.py File: skills/research-lookup/scripts/generate_schematic_ai.py Remediation: Remove environment variable harvesting or network transmission

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/research-lookup/scripts/generate_schematic_ai.py File: skills/research-lookup/scripts/generate_schematic_ai.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

  Script accesses environment variables and makes network calls in skills/research-lookup/scripts/research_lookup.py File: skills/research-lookup/scripts/research_lookup.py Remediation: Remove environment variable harvesting or network transmission

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/research-lookup/scripts/research_lookup.py File: skills/research-lookup/scripts/research_lookup.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 2 files

  Environment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 2 files

  Multi-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data → scripts/generate_schematic_ai.py → scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py

• 🟡 MEDIUM LLM_SKILL_DISCOVERY_ABUSE — Cross-Skill Activation Promotion via Scientific Schematics Integration

  The SKILL.md instructions contain a prominent section promoting the use of another skill ('scientific-schematics') and instruct the agent to generate schematics 'by default' for new documents. This cross-skill promotion inflates the activation surface of the scholar-evaluation skill by embedding activation triggers for a separate skill. The instructions state 'Nano Banana Pro will automatically generate, review, and refine the schematic' and 'Scientific schematics should be generated by default', which could cause the agent to invoke external capabilities beyond the stated evaluation purpose without explicit user request. File: SKILL.md Remediation: Remove or make optional the cross-skill promotion section. If schematic generation is desired, it should be explicitly requested by the user rather than triggered by default. Avoid embedding activation triggers for other skills within a skill's instructions.

• 🟡 MEDIUM LLM_DATA_EXFILTRATION — API Key Exposure via Environment Variable Harvesting and External Network Transmission

  The scripts read the OPENROUTER_API_KEY environment variable and transmit it to an external API endpoint (https://openrouter.ai/api/v1). While this is the intended use of the API key, the pattern of reading environment variables and making external network calls represents a data exfiltration risk vector. The generate_schematic.py script also passes the API key via environment to subprocess calls, and the generate_schematic_ai.py script attempts to load .env files from multiple locations. If a malicious prompt were to manipulate the prompt or output path parameters, the API key could be exposed in logs or transmitted to unintended endpoints. File: scripts/generate_schematic_ai.py Remediation: Ensure the API key is only transmitted to the intended OpenRouter endpoint. Add domain validation before making requests. Consider using a secrets manager rather than environment variables. Validate the base_url is not overridable by user input.

• 🔵 LOW LLM_COMMAND_INJECTION — User-Controlled Prompt Passed Directly to External AI API Without Sanitization

  In generate_schematic_ai.py and generate_schematic.py, the user-supplied prompt argument is passed directly into API requests to OpenRouter without sanitization or validation. The prompt is embedded into messages sent to external AI models (Gemini 3.1 Pro Preview, Nano Banana 2). While this is the intended behavior, a malicious user could craft prompts designed to manipulate the downstream AI model's behavior (indirect prompt injection via the image generation pipeline). The prompt is also embedded into the improve_prompt() method which concatenates it with critique text from the AI reviewer, creating a potential injection chain. File: scripts/generate_schematic_ai.py Remediation: Add input validation and length limits on user-provided prompts. Consider sanitizing or escaping special characters. Be aware that critique text returned from the AI reviewer is also embedded into subsequent prompts, creating a potential injection chain from the review model to the generation model.

• 🔵 LOW LLM_DATA_EXFILTRATION — Review Log Written to Disk Contains Full Prompt and Critique Data

  The generate_iterative() method saves a JSON review log to disk that contains the full user prompt, all AI-generated critiques, quality scores, and iteration metadata. This log is saved automatically without user consent or notification in the same directory as the output image. The log file could contain sensitive information if the user's diagram description contains confidential research details. File: scripts/generate_schematic_ai.py Remediation: Inform users that a review log will be created. Add a --no-log flag to disable log creation. Consider redacting or summarizing sensitive content in logs. At minimum, document this behavior clearly in the skill instructions.

• 🔵 LOW LLM_RESOURCE_ABUSE — Unbounded Retry Loop with External API Calls

  The generate_iterative() method in generate_schematic_ai.py implements a loop that makes multiple external API calls (image generation + review) per iteration. While the maximum iterations are capped at 2, each iteration makes at least 2 API calls (generate + review), and failures in image extraction do not terminate the loop - they continue to the next iteration. The timeout is set to 120 seconds per request, meaning a worst-case execution could involve 4+ API calls with up to 8+ minutes of blocking network I/O. Additionally, the calculate_scores.py interactive mode has an unbounded while loop for input validation. File: scripts/generate_schematic_ai.py Remediation: Add explicit break conditions for consecutive failures. Consider adding a total timeout budget across all iterations. The interactive mode while loop should have a maximum retry count for invalid inputs.

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/scholar-evaluation/scripts/generate_schematic.py File: skills/scholar-evaluation/scripts/generate_schematic.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

  Script accesses environment variables and makes network calls in skills/scholar-evaluation/scripts/generate_schematic_ai.py File: skills/scholar-evaluation/scripts/generate_schematic_ai.py Remediation: Remove environment variable harvesting or network transmission

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/scholar-evaluation/scripts/generate_schematic_ai.py File: skills/scholar-evaluation/scripts/generate_schematic_ai.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 2 files

  Environment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 2 files

  Multi-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data → scripts/generate_schematic_ai.py → scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py

• 🟡 MEDIUM LLM_DATA_EXFILTRATION — API Key Passed via Command-Line Argument (Process Listing Exposure)

  In generate_schematic.py, the API key can be passed via --api-key flag and is then forwarded to the subprocess. While the code does attempt to pass it via environment variable (env['OPENROUTER_API_KEY'] = api_key), the original --api-key argument is still accepted and stored in args.api_key, and the subprocess command (cmd) does NOT include the key directly. However, the API key is accepted as a plaintext CLI argument, which can be exposed in process listings (ps aux) on multi-user systems. File: scripts/generate_schematic.py:97 Remediation: Remove the --api-key CLI argument entirely and require the API key to be set only via environment variable or .env file. This prevents accidental exposure in process listings.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — References to Non-Existent AI Models ('Nano Banana 2', 'Gemini 3.1 Pro Preview')

  The skill prominently markets itself as using 'Nano Banana 2 AI' for image generation and 'Gemini 3.1 Pro Preview' for quality review. However, the actual model used in code is 'google/gemini-3.1-flash-image-preview' (not 'Nano Banana 2') and 'google/gemini-3.1-pro-preview'. 'Nano Banana 2' appears to be a fictional/marketing name that does not correspond to any known AI model, potentially misleading users about the actual technology being used. File: scripts/generate_schematic_ai.py:130 Remediation: Use accurate model names in documentation and marketing. Remove the fictional 'Nano Banana 2' branding and accurately describe the actual models being used (gemini-3.1-flash-image-preview for generation).

• 🟡 MEDIUM LLM_DATA_EXFILTRATION — Sensitive API Key Transmitted in HTTP Authorization Header to External Service

  The script sends the OPENROUTER_API_KEY in the Authorization header to https://openrouter.ai/api/v1. While this is the intended use of the API key, the key is read from the environment and transmitted over the network. If the key is overly permissive or the OpenRouter service is compromised, this represents a credential exposure risk. Additionally, the HTTP-Referer header is hardcoded to 'https://github.com/scientific-writer', which is a misleading/spoofed referrer. File: scripts/generate_schematic_ai.py:175 Remediation: Document clearly that the API key is transmitted to OpenRouter. Remove or correct the misleading HTTP-Referer header. Consider validating the API key format before use.

• 🔵 LOW LLM_DATA_EXFILTRATION — User Prompt Content Sent to External AI APIs Without Sanitization

  The user's diagram description prompt (which may contain sensitive project information, proprietary research details, or confidential data) is sent verbatim to external APIs (OpenRouter/Google Gemini) for both image generation and quality review. There is no warning to users that their prompt content will be transmitted to third-party services. File: scripts/generate_schematic_ai.py:230 Remediation: Add a clear disclosure in SKILL.md and at runtime that user prompts and generated images are transmitted to OpenRouter and Google's Gemini API. Allow users to opt out or be informed before submission.

• 🔵 LOW LLM_DATA_EXFILTRATION — Generated Images Sent to External Review API (Data Exfiltration of Generated Content)

  Generated diagram images are base64-encoded and sent to the external Gemini 3.1 Pro Preview API for quality review. This means any generated scientific diagram (which may contain proprietary research visualizations) is transmitted to Google's servers via OpenRouter. Users may not be aware their generated figures are being sent externally. File: scripts/generate_schematic_ai.py:280 Remediation: Clearly disclose that generated images are sent to external APIs for review. Provide an option to skip the external review step for sensitive diagrams.

• 🔵 LOW LLM_RESOURCE_ABUSE — Unbounded Retry Loop with External API Calls

  The generate_iterative method loops up to 'iterations' times (max 2), each time making multiple external API calls (image generation + review). While the max is capped at 2, each iteration involves at least 2 API calls with 120-second timeouts each, meaning a single diagram generation could take up to 8 minutes and make 4 external API calls. With no rate limiting or backoff, rapid successive calls could exhaust API quotas. File: scripts/generate_schematic_ai.py:370 Remediation: Add a small delay between iterations (e.g., time.sleep(1)) and implement exponential backoff on API failures. Consider adding a total timeout for the entire generation process.

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/scientific-schematics/scripts/generate_schematic.py File: skills/scientific-schematics/scripts/generate_schematic.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

  Script accesses environment variables and makes network calls in skills/scientific-schematics/scripts/generate_schematic_ai.py File: skills/scientific-schematics/scripts/generate_schematic_ai.py Remediation: Remove environment variable harvesting or network transmission

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/scientific-schematics/scripts/generate_schematic_ai.py File: skills/scientific-schematics/scripts/generate_schematic_ai.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 4 files

  Environment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_slide_image_ai.py, scripts/generate_slide_image.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_slide_image_ai.py, scripts/generate_schematic.py, scripts/generate_schematic_ai.py, scripts/generate_slide_image.py

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 4 files

  Multi-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_slide_image_ai.py, scripts/generate_slide_image.py, scripts/generate_schematic.py collect data → scripts/generate_schematic_ai.py, scripts/generate_slide_image_ai.py → scripts/generate_schematic_ai.py, scripts/generate_slide_image_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_slide_image_ai.py, scripts/generate_schematic.py, scripts/generate_schematic_ai.py, scripts/generate_slide_image.py

• 🟡 MEDIUM LLM_UNAUTHORIZED_TOOL_USE — Allowed-Tools Violation: Bash and Write Tools Used Beyond Declared Scope

  The skill declares allowed-tools as [Read, Write, Edit, Bash]. The scripts perform network calls to external APIs (openrouter.ai), which is not reflected in the allowed-tools declaration. The allowed-tools field does not include a 'Network' or 'Python' tool type, yet the skill extensively uses Python scripts that make outbound HTTP requests. This represents a capability that exceeds what the manifest implies to users reviewing the allowed-tools list. Remediation: Update the skill description and manifest to explicitly state that the skill makes outbound network calls to openrouter.ai. Consider adding a network-access warning in the skill description so users understand the external data transmission involved.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Capability Claims in Skill Description

  The skill description claims to work with 'PowerPoint and LaTeX Beamer' and references an external 'PPTX skill' (skills/pptx/SKILL.md) that is not found in the package. The instructions extensively reference capabilities and scripts from the PPTX skill that are not bundled with this skill, potentially misleading users about what this skill can actually accomplish independently. File: SKILL.md Remediation: Update the skill description to accurately reflect that PowerPoint creation requires a separate PPTX skill dependency. Clearly document external skill dependencies in the manifest metadata.

• 🟠 HIGH LLM_DATA_EXFILTRATION — API Key Harvesting via Environment Variable Access with External Network Calls

  Multiple scripts (generate_schematic_ai.py, generate_slide_image_ai.py) read the OPENROUTER_API_KEY environment variable and transmit it as a Bearer token in HTTP Authorization headers to external servers. While the stated purpose is legitimate AI API access, the pattern of reading sensitive environment variables and sending them over the network represents a credential exposure risk. The scripts also scan for .env files in the current working directory and script directory, potentially harvesting credentials from local configuration files. File: scripts/generate_schematic_ai.py Remediation: Ensure the OPENROUTER_API_KEY is only used for its stated purpose (OpenRouter API calls). Validate that the base_url is always openrouter.ai and cannot be overridden by user input. Consider pinning the endpoint URL as a constant rather than a configurable parameter.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned External Dependencies

  The scripts import third-party libraries (requests, Pillow/PIL, PyMuPDF/fitz, PyPDF2, python-pptx) without version pinning in the skill package. The install instructions use generic pip install commands without specifying versions. This creates supply chain risk where a compromised or malicious version of these packages could be installed. File: scripts/generate_schematic_ai.py Remediation: Include a requirements.txt file with pinned versions (e.g., requests==2.31.0, Pillow==10.0.0, pymupdf==1.23.0). Reference this file in installation instructions to ensure reproducible and auditable dependency installation.

• 🟠 HIGH LLM_COMMAND_INJECTION — Subprocess Execution with User-Controlled Input Passed to Child Process

  The wrapper scripts generate_slide_image.py and generate_schematic.py accept arbitrary user-provided prompt strings from the command line and pass them directly as positional arguments to subprocess.run() calls that invoke child Python scripts. While the API key is passed via environment variable (good practice), the prompt string itself is passed as a command-line argument without sanitization. A malicious prompt containing shell metacharacters or specially crafted content could potentially influence subprocess behavior depending on the OS and shell invocation context. File: scripts/generate_slide_image.py Remediation: The current use of subprocess.run() with a list (not shell=True) is relatively safe against shell injection. However, validate and sanitize the prompt string before passing it. Consider adding length limits and character allowlists for the prompt argument. Ensure shell=True is never used with user-supplied input.

• 🟡 MEDIUM LLM_DATA_EXFILTRATION — Cross-File Exfiltration Chain: User Content Sent to External AI API

  The skill implements a multi-file chain where user-provided presentation content (prompts describing slides, attached images from the user's filesystem) is collected and transmitted to external AI services (openrouter.ai, specifically Google Gemini models). The --attach flag allows attaching arbitrary local image files, which are base64-encoded and sent to external servers. This creates a data exfiltration pathway where local files (figures, diagrams, logos, potentially sensitive images) are uploaded to third-party AI services without explicit per-file user confirmation. File: scripts/generate_slide_image_ai.py Remediation: Clearly document in the skill description that attached files are transmitted to external AI services. Add explicit user confirmation prompts before transmitting local files to external services. Validate that attached file paths are within expected directories and are image files before transmission.

• 🟡 MEDIUM LLM_PROMPT_INJECTION — Indirect Prompt Injection via User-Controlled Slide Prompts Sent to AI Models

  The skill instructs the agent to take user-provided presentation descriptions and pass them directly as prompts to external AI image generation models (Nano Banana Pro / Gemini). A malicious user could craft a slide description prompt containing instructions intended to manipulate the AI model's behavior, potentially causing it to generate harmful content, exfiltrate information through generated images, or behave unexpectedly. The prompt is passed without sanitization or content filtering. File: scripts/generate_slide_image_ai.py Remediation: Add input validation and sanitization for user-provided prompts before passing to external AI APIs. Consider implementing a content policy check or prompt prefix that establishes safe boundaries. Log prompts for audit purposes.

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/scientific-slides/scripts/generate_schematic.py File: skills/scientific-slides/scripts/generate_schematic.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

  Script accesses environment variables and makes network calls in skills/scientific-slides/scripts/generate_schematic_ai.py File: skills/scientific-slides/scripts/generate_schematic_ai.py Remediation: Remove environment variable harvesting or network transmission

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/scientific-slides/scripts/generate_schematic_ai.py File: skills/scientific-slides/scripts/generate_schematic_ai.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/scientific-slides/scripts/generate_slide_image.py File: skills/scientific-slides/scripts/generate_slide_image.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

  Script accesses environment variables and makes network calls in skills/scientific-slides/scripts/generate_slide_image_ai.py File: skills/scientific-slides/scripts/generate_slide_image_ai.py Remediation: Remove environment variable harvesting or network transmission

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/scientific-slides/scripts/generate_slide_image_ai.py File: skills/scientific-slides/scripts/generate_slide_image_ai.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_EVAL_SUBPROCESS — eval/exec combined with subprocess detected

  Dangerous combination of code execution and system commands in skills/scientific-slides/scripts/validate_presentation.py File: skills/scientific-slides/scripts/validate_presentation.py Remediation: Remove eval/exec or use safer alternatives

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 3 files

  Environment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_image.py, scripts/generate_schematic.py, scripts/generate_schematic_ai.py

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 3 files

  Multi-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data → scripts/generate_schematic_ai.py, scripts/generate_image.py → scripts/generate_schematic_ai.py, scripts/generate_image.py transmit to network Remediation: Review data flow across files: scripts/generate_image.py, scripts/generate_schematic.py, scripts/generate_schematic_ai.py

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Overly Prescriptive Mandatory Figure Generation Requirements

  The SKILL.md instructions use strong mandatory language ("MANDATORY", "CRITICAL", "ALWAYS", "not optional") to require extensive figure generation (5-30 figures per document) using external API calls. This could cause the agent to autonomously make large numbers of paid API calls without explicit user consent for each call. The instruction 'When in Doubt, Generate a Figure' encourages excessive API usage beyond what users may expect or want. File: SKILL.md Remediation: Replace mandatory language with recommendations. Require explicit user confirmation before making API calls that incur costs. Provide cost estimates before generating large numbers of figures. Allow users to opt out of AI-generated figures.

• 🔵 LOW LLM_DATA_EXFILTRATION — generate_image.py Traverses Parent Directories to Find .env Files

  The check_env_file() function in generate_image.py walks up the entire directory tree from the current working directory searching for .env files. This could expose .env files from parent directories outside the skill's own package, potentially reading credentials from unrelated projects or system-level .env files. Unlike generate_schematic_ai.py which limits .env loading to the current directory and script directory only, generate_image.py has unbounded upward traversal. File: scripts/generate_image.py:17 Remediation: Limit .env file search to the skill's own directory and the current working directory only, as done in generate_schematic_ai.py. Replace the parent directory traversal with: for candidate in [Path.cwd() / '.env', Path(__file__).resolve().parent / '.env'].

• 🔵 LOW LLM_DATA_EXFILTRATION — API Key Transmitted to External Service via Environment Variable

  The skill reads the OPENROUTER_API_KEY environment variable and transmits it as a Bearer token in HTTP Authorization headers to https://openrouter.ai. While this is the intended use of the API key (authenticating to OpenRouter), the pattern of reading environment credentials and sending them over the network is worth noting. The key is passed via environment variable (not hardcoded), which is the correct approach. The destination (openrouter.ai) is a legitimate AI API provider. No exfiltration to attacker-controlled domains is detected. File: scripts/generate_schematic_ai.py:95 Remediation: This is expected behavior for an API-based skill. Ensure users are aware that their OPENROUTER_API_KEY is transmitted to openrouter.ai when using this skill. Document this clearly in the skill description.

• 🔵 LOW LLM_RESOURCE_ABUSE — Unbounded Retry Loop with External API Calls

  The generate_iterative() method in generate_schematic_ai.py makes multiple sequential API calls (up to 2 iterations by default, enforced max of 2). Each iteration makes at least 2 API calls (one for image generation, one for review). While the maximum is capped at 2 iterations, the SKILL.md instructions mandate generating 5-30 figures per document type (e.g., 20-30 for market research), which could result in 40-120 API calls per document. This could lead to significant resource consumption and API cost exhaustion. File: scripts/generate_schematic_ai.py:280 Remediation: Add explicit warnings in the skill documentation about API cost implications when generating large numbers of figures. Consider adding a total API call budget limit or requiring explicit user confirmation before generating more than a threshold number of figures.

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/scientific-writing/scripts/generate_schematic.py File: skills/scientific-writing/scripts/generate_schematic.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

  Script accesses environment variables and makes network calls in skills/scientific-writing/scripts/generate_schematic_ai.py File: skills/scientific-writing/scripts/generate_schematic_ai.py Remediation: Remove environment variable harvesting or network transmission

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/scientific-writing/scripts/generate_schematic_ai.py File: skills/scientific-writing/scripts/generate_schematic_ai.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL LLM_DATA_EXFILTRATION — Environment Variable Exfiltration with Network Calls Detected Across Multiple Files

  Static analysis flagged a cross-file exfiltration chain spanning 3 files, involving environment variable access combined with network calls. Although the SKILL.md instruction body appears benign and no script files were surfaced in the submission, the pre-scan context explicitly identifies BEHAVIOR_ENV_VAR_EXFILTRATION, BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN, and BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION across 13 files (8 markdown, 3 Python, 2 other). The 3 Python files and unreferenced scripts were not provided for review, meaning malicious logic may be hidden in files not surfaced to this analysis. The pattern of reading environment variables (which may contain API keys, tokens, cloud credentials) and then making network calls is a classic data exfiltration pattern. The skill requests Bash and Write tool permissions, which would facilitate executing such scripts and persisting results. File: SKILL.md Remediation: Audit all 3 Python files in the skill package for environment variable reads (os.environ, os.getenv) combined with any network calls (requests, urllib, http.client, socket). Remove or sandbox any code that transmits local data to external endpoints. Require full disclosure of all files in the skill package before deployment.

• 🟠 HIGH LLM_PROMPT_INJECTION — Referenced Files Not Found May Enable Indirect Prompt Injection via External Substitution

  The SKILL.md instructions reference matplotlib.py and seaborn.py as files to be read, but both are reported as 'not found' in the package. The instructions direct the agent to read reference files from a references/ directory (function_reference.md, objects_interface.md, examples.md). If the missing matplotlib.py or seaborn.py files are later supplied by a user or fetched from an external source, they could contain malicious instructions that the agent would treat as trusted reference material. The instruction 'Read these reference files as documentation' creates a transitive trust path where externally-supplied content is treated as authoritative. File: SKILL.md Remediation: Ensure all referenced files are bundled within the skill package and validated at install time. Do not allow user-supplied files to substitute for missing skill-internal references. Add explicit warnings that reference files must come from the trusted skill package only.

• 🟠 HIGH LLM_UNAUTHORIZED_TOOL_USE — Undisclosed Python Scripts Present Despite No Script Files Reported

  The submission states 'No script files found' in the Script Files section, yet the static file inventory confirms 3 Python files exist in the package. This discrepancy means executable code is present in the skill package but was withheld from review. This is a tool exploitation risk: the agent will have access to these Python files and may execute them (the manifest grants Bash and Write permissions), but the security reviewer cannot assess their content. The cross-file exfiltration chain detected by static analysis further confirms these hidden scripts contain suspicious behavior. File: SKILL.md Remediation: All files in the skill package must be disclosed for security review. Do not deploy this skill until the 3 Python files are reviewed and confirmed free of malicious behavior. Implement mandatory full-package disclosure in the skill submission pipeline.

• 🟡 MEDIUM LLM_SUPPLY_CHAIN_ATTACK — Unpinned Optional Dependency Installation via uv pip

  The skill instructs installation of seaborn with optional extras (seaborn[stats]==0.13.2) which pulls in scipy and statsmodels. While seaborn itself is pinned, the transitive dependencies of these optional packages are not pinned, creating supply chain risk. Additionally, the skill uses 'uv pip install' which may resolve to different transitive dependency versions across environments, potentially introducing compromised or vulnerable packages. File: SKILL.md Remediation: Use a fully pinned requirements file (pip-compile or uv pip compile) that locks all transitive dependencies to specific versions with hashes. Include a requirements.txt or pyproject.toml with complete dependency lock in the skill package.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Skill Description References Other Named Skills Suggesting Ecosystem Coordination

  The skill description explicitly references two other skills by name: 'plotly' and 'scientific-visualization', directing users toward or away from them. While this may be legitimate skill ecosystem documentation, it could also be used to manipulate skill discovery and routing, inflating the activation surface of coordinated skills or suppressing competitors. This pattern warrants review in the context of the broader skill ecosystem. File: SKILL.md Remediation: Verify that the referenced skills (plotly, scientific-visualization) are legitimate, trusted skills from the same author or a trusted source. Ensure cross-skill references do not create unintended activation chains or trust escalation paths.

• 🔴 CRITICAL LLM_DATA_EXFILTRATION — Cross-File Data Exfiltration Chain Detected

  Static analysis identified a BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN spanning 3 files. This indicates a multi-stage data pipeline where one script reads or collects data and another transmits it externally. In the context of a genomics skill with cloud storage access (S3, Azure, GCS) and API token handling, this chain could be used to exfiltrate genomic data, cloud credentials, or API tokens to an attacker-controlled endpoint. The referenced files tiledb.py and tiledbvcf.py were not found for direct inspection, making the full chain unverifiable. Remediation: Locate and audit all 3 Python files flagged in the exfiltration chain. Trace data flow from file read/env access through to any network transmission. Remove unauthorized outbound calls. Ensure no data collected from user genomic datasets is transmitted to endpoints outside the user's control. Consider static analysis with tools like Bandit or Semgrep before deployment.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools and Compatibility Metadata

  The skill manifest does not specify 'allowed-tools' or 'compatibility' fields. While these are optional per the agent skills specification, their absence means there are no declared restrictions on what tools the agent may use when executing this skill. Given the static analysis findings of network calls and environment variable access, explicit tool restrictions would be an important defense-in-depth measure. Remediation: Add explicit 'allowed-tools' declarations to restrict the agent to only the tools required for legitimate operation. Add 'compatibility' metadata to clarify the intended execution environment. This provides defense-in-depth and makes any tool restriction violations detectable.

• 🔴 CRITICAL LLM_DATA_EXFILTRATION — Environment Variable Exfiltration via Network Calls

  Static analysis detected environment variable access combined with network calls across multiple files in this skill package. The pre-scan context explicitly flags BEHAVIOR_ENV_VAR_EXFILTRATION and BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION across 3 files. The SKILL.md instructs users to set sensitive tokens via environment variables (e.g., TILEDB_REST_TOKEN), and the referenced Python files (tiledb.py, tiledbvcf.py) — though not found during analysis — are flagged as part of a cross-file exfiltration chain. This pattern is consistent with scripts that read environment variables (including API tokens, cloud credentials) and transmit them to external endpoints. File: SKILL.md Remediation: Audit all Python scripts (tiledb.py, tiledbvcf.py, and any third file in the chain) for code that reads os.environ or os.getenv and passes values to requests, urllib, httpx, or similar network libraries. Remove or sandbox any such patterns. Ensure referenced scripts are present and auditable before deployment.

• 🟠 HIGH LLM_UNAUTHORIZED_TOOL_USE — Referenced Script Files Missing — Unauditable Tool Behavior

  The SKILL.md references tiledb.py and tiledbvcf.py as part of its operational workflow, but neither file was found during analysis. The file inventory confirms 3 Python files exist in the package, yet none were surfaced for content review. This discrepancy means the actual tool behavior cannot be verified against the manifest claims. Combined with the static analysis flags for exfiltration chains, the missing scripts represent a significant unauditable attack surface. File: SKILL.md Remediation: Ensure all referenced script files are included and auditable in the skill package. Do not deploy skills with missing or inaccessible script files. Perform a full content audit of all 3 Python files before use.

• 🟡 MEDIUM LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation in Cloud Setup Instructions

  The SKILL.md instructs users to install packages without version pinning: 'pip install tiledb-cloud' and 'pip install tiledb-cloud[life-sciences]'. Unpinned installations are vulnerable to supply chain attacks where a malicious version of a package could be published and automatically installed. Given that this skill handles sensitive genomic data and cloud API tokens, a compromised package version could exfiltrate credentials or data. File: SKILL.md Remediation: Pin all package installations to specific verified versions, e.g., 'pip install tiledb-cloud==0.12.3'. Use a requirements.txt with hashes for reproducible and verifiable installs. Consider using a private package mirror or verifying package integrity before installation.

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 2 files

  Environment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 2 files

  Multi-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data → scripts/generate_schematic_ai.py → scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py

• 🟡 MEDIUM LLM_UNAUTHORIZED_TOOL_USE — Mandatory External Skill Dependency: scientific-schematics Skill Invocation

  The SKILL.md instructions mandate that every treatment plan MUST invoke the 'scientific-schematics' skill to generate AI figures, marking this as non-optional. This creates a forced dependency on another skill whose security posture is unknown. The instruction states '⚠️ MANDATORY: Every treatment plan MUST include at least 1 AI-generated figure using the scientific-schematics skill.' This could be used to chain skill invocations in ways the user did not explicitly authorize, and the security of the chained skill is outside the scope of this package. File: SKILL.md Remediation: Change the mandatory requirement to a recommendation. The agent should ask the user whether they want to invoke the scientific-schematics skill rather than doing so automatically. Document the dependency explicitly in the YAML manifest.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Capability Claims and Mandatory Schematic Requirement May Inflate Activation

  The skill description claims support for 'all clinical specialties' and the instructions mandate invoking an additional skill (scientific-schematics) for every treatment plan. The description is very broad ('Supports general medical treatment, rehabilitation therapy, mental health care, chronic disease management, perioperative care, and pain management') which may cause the agent to activate this skill for a wider range of requests than intended, including cases where a simpler response would suffice. File: SKILL.md Remediation: Narrow the description to be more specific about when this skill should be activated versus when a simpler clinical note or summary would be more appropriate. Remove the mandatory scientific-schematics invocation requirement.

• 🔵 LOW LLM_DATA_EXFILTRATION — Hardcoded Patient-Specific Information in Style File

  The medical_treatment_plan.sty file contains hardcoded patient-specific information in the header/footer configuration: 'Diabetes Treatment Plan' and 'Patient Age: 23'. While this appears to be example/template content, if this style file is reused across patients without modification, it could result in incorrect patient information appearing on documents, which is a HIPAA compliance risk. File: assets/medical_treatment_plan.sty Remediation: Replace hardcoded patient information in the style file with LaTeX macros or parameters that must be explicitly set per document (e.g., \newcommand{\patientname}{} that must be defined in each document). Add a comment warning that these values must be customized per patient.

• 🟠 HIGH LLM_DATA_EXFILTRATION — Cross-File Exfiltration Chain: Environment Variable Harvested and Sent Externally

  The static analyzer identified a cross-file exfiltration chain spanning generate_schematic.py and generate_schematic_ai.py. generate_schematic.py reads OPENROUTER_API_KEY from the environment and passes it to generate_schematic_ai.py via subprocess with env=env (a copy of the full OS environment). generate_schematic_ai.py then uses this key to make authenticated HTTP POST requests to an external API. This two-stage chain means the full OS environment (including any other secrets present) is copied and passed to the subprocess, not just the specific key. File: scripts/generate_schematic.py Remediation: Instead of passing os.environ.copy() (which includes all environment variables), pass only the minimal required environment variables to the subprocess. Example: env = {"OPENROUTER_API_KEY": api_key, "PATH": os.environ.get("PATH", "")}. This prevents inadvertent leakage of other secrets (AWS keys, SSH keys, tokens) present in the environment.

• 🟠 HIGH LLM_DATA_EXFILTRATION — API Key Exfiltration via External Network Calls in generate_schematic_ai.py

  The script reads the OPENROUTER_API_KEY environment variable and transmits it as a Bearer token in HTTP Authorization headers to the external OpenRouter API (https://openrouter.ai/api/v1). While OpenRouter is a legitimate AI routing service, the pattern of harvesting an environment variable and sending it to an external server constitutes a data exfiltration risk. The key is also passed through subprocess calls in generate_schematic.py via environment variable propagation. The static analyzer flagged cross-file env var exfiltration chains across generate_schematic.py and generate_schematic_ai.py. File: scripts/generate_schematic_ai.py Remediation: 1. Clearly document in SKILL.md that the API key is transmitted to openrouter.ai. 2. Validate the endpoint URL is strictly 'https://openrouter.ai/api/v1' before sending credentials. 3. Never log or expose the API key in verbose output. 4. Consider using a secrets manager rather than raw environment variables.

• 🟡 MEDIUM LLM_COMMAND_INJECTION — Unvalidated User-Controlled Prompt Passed to External AI API

  In generate_schematic_ai.py and generate_schematic.py, the user-supplied prompt string is passed directly to the OpenRouter API without sanitization or length limits. The prompt is embedded in JSON payloads sent to external AI models (google/gemini-3.1-flash-image-preview and google/gemini-3.1-pro-preview). A malicious user could craft prompts designed to manipulate the downstream AI model's behavior (prompt injection against the external model), potentially causing it to generate harmful content or bypass its own safety filters. File: scripts/generate_schematic_ai.py Remediation: 1. Validate and sanitize user-provided prompts before sending to external APIs. 2. Enforce maximum prompt length limits. 3. Consider a content filter or allowlist for prompt content in medical contexts. 4. Log prompts for audit purposes (without logging API keys).

• 🟡 MEDIUM LLM_SUPPLY_CHAIN_ATTACK — Unpinned External Dependencies and No Dependency Manifest

  The scripts import 'requests' and optionally 'matplotlib' and 'dotenv' without any version pinning. There is no requirements.txt or pyproject.toml visible in the skill package. The generate_schematic_ai.py script also attempts to install or import dotenv dynamically. Unpinned dependencies are vulnerable to supply chain attacks where a malicious package version could be installed. File: scripts/generate_schematic_ai.py Remediation: 1. Add a requirements.txt with pinned versions (e.g., requests==2.32.3, python-dotenv==1.0.1, matplotlib==3.9.0). 2. Consider using a lockfile (pip-compile or poetry.lock). 3. Document all dependencies in the YAML manifest or a separate dependencies file.

• 🔵 LOW LLM_RESOURCE_ABUSE — Unbounded Retry Loop Risk in Iterative Image Generation

  The generate_iterative method in generate_schematic_ai.py performs up to 'iterations' rounds of API calls (generation + review per iteration). While the maximum is capped at 2 iterations in the CLI, the class method itself accepts arbitrary iteration counts. Each iteration makes 2 API calls (one for generation, one for review), and failures do not terminate the loop—they continue to the next iteration. This could result in unexpected API costs or rate-limit exhaustion. File: scripts/generate_schematic_ai.py Remediation: 1. Enforce the maximum iteration cap (2) at the class method level, not just the CLI. 2. Add a circuit breaker that stops after consecutive failures. 3. Add cost estimation warnings before making multiple API calls. 4. Ensure the CLI enforcement (min 1, max 2) is also enforced in the ScientificSchematicGenerator class.

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/treatment-plans/scripts/generate_schematic.py File: skills/treatment-plans/scripts/generate_schematic.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

  Script accesses environment variables and makes network calls in skills/treatment-plans/scripts/generate_schematic_ai.py File: skills/treatment-plans/scripts/generate_schematic_ai.py Remediation: Remove environment variable harvesting or network transmission

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/treatment-plans/scripts/generate_schematic_ai.py File: skills/treatment-plans/scripts/generate_schematic_ai.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION — Cross-file env var exfiltration: 2 files

  Environment variable access with network calls in scripts/generate_schematic_ai.py, scripts/generate_schematic.py Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py

• 🔴 CRITICAL BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN — Cross-file exfiltration chain: 2 files

  Multi-file exfiltration chain detected: scripts/generate_schematic_ai.py, scripts/generate_schematic.py collect data → scripts/generate_schematic_ai.py → scripts/generate_schematic_ai.py transmit to network Remediation: Review data flow across files: scripts/generate_schematic.py, scripts/generate_schematic_ai.py

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Capability Claims in Skill Description

  The skill description claims access to '50+ publication venue templates' and lists an extensive array of journals, conferences, and grant agencies. However, the actual template database in query_template.py only contains entries for a handful of venues (nature, neurips, plos_one, beamerposter, nsf, nih_specific_aims). Many referenced template files (e.g., icml_article.tex, cvpr_article.tex, chi_article.tex, etc.) are not found in the skill package. This creates a mismatch between advertised and actual capabilities. File: SKILL.md Remediation: Update the skill description and SKILL.md to accurately reflect the actual number of templates available. Either add the missing templates or reduce the capability claims to match what is actually bundled. This prevents user confusion and sets accurate expectations.

• 🔵 LOW LLM_UNAUTHORIZED_TOOL_USE — Subprocess Execution of Another Script Without Input Validation

  generate_schematic.py constructs a subprocess command using user-provided arguments (args.prompt, args.output, args.doc_type) and passes them directly to generate_schematic_ai.py via subprocess.run(). While the arguments are passed as a list (not via shell=True), the user-controlled 'prompt' string is passed as a command-line argument to the subprocess. This is relatively low risk given list-based invocation, but the prompt content is then used in API requests without sanitization. File: scripts/generate_schematic.py:89 Remediation: The list-based subprocess invocation is already safe from shell injection. However, consider validating the output path to prevent path traversal (e.g., ensure output stays within expected directories). The prompt is passed to an external API which handles it as data, so injection risk is minimal.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned External Dependency (requests library)

  The script imports the 'requests' library without any version pinning. The install instruction shown in the error message ('pip install requests') does not specify a version. If a user installs this dependency, they could receive a compromised or incompatible version. Additionally, the 'dotenv' library is optionally imported without version pinning. File: scripts/generate_schematic_ai.py:18 Remediation: Specify pinned versions for dependencies (e.g., 'pip install requests==2.31.0'). Consider adding a requirements.txt file with pinned versions for all dependencies used by the skill's scripts.

• 🔵 LOW LLM_DATA_EXFILTRATION — API Key Transmitted via HTTP Headers to External Service

  The skill uses an OpenRouter API key (OPENROUTER_API_KEY) and transmits it in HTTP Authorization headers to https://openrouter.ai/api/v1. While this is the intended use of the API key for a legitimate service, the key is sourced from environment variables and sent over the network. The skill's YAML metadata explicitly declares OPENROUTER_API_KEY as an optional environment variable, so this is disclosed behavior. However, the key is also passed via subprocess environment in generate_schematic.py, which is a reasonable security practice to avoid process listing exposure. File: scripts/generate_schematic_ai.py:130 Remediation: This is disclosed behavior per the skill's metadata. Ensure users are aware that OPENROUTER_API_KEY is transmitted to openrouter.ai. Consider documenting the data flow explicitly in SKILL.md. The current approach of passing the key via environment variable to subprocesses (rather than command-line args) is already a good practice.

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/venue-templates/scripts/generate_schematic.py File: skills/venue-templates/scripts/generate_schematic.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🔴 CRITICAL BEHAVIOR_ENV_VAR_EXFILTRATION — Environment variable access with network calls detected

  Script accesses environment variables and makes network calls in skills/venue-templates/scripts/generate_schematic_ai.py File: skills/venue-templates/scripts/generate_schematic_ai.py Remediation: Remove environment variable harvesting or network transmission

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/venue-templates/scripts/generate_schematic_ai.py File: skills/venue-templates/scripts/generate_schematic_ai.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🟠 HIGH LLM_DATA_EXFILTRATION — Environment Variable Access Combined with Network Calls (Cross-File Exfiltration Chain)

  Static analysis detected a cross-file exfiltration chain spanning 8 files and environment variable exfiltration across 7 files. The skill reads sensitive environment variables (BENCHLING_API_KEY, BENCHLING_CLIENT_SECRET, BENCHLING_PROD_API_KEY, BENCHLING_STAGING_API_KEY, BENCHLING_CLIENT_ID) and makes network calls. While the SKILL.md instructions explicitly state to read only named environment variables and route calls to the tenant URL, the static analyzer flagged multiple Python files (23 total, none surfaced as script files in the manifest) with patterns consistent with env var harvesting combined with outbound network requests. The presence of 23 Python files in the package inventory but zero declared script files is suspicious and warrants scrutiny — these files may contain undisclosed logic. File: SKILL.md Remediation: Audit all 23 Python files in the package for actual content. Verify that network calls are exclusively directed to the user's own Benchling tenant URL and not to any third-party or attacker-controlled endpoints. Ensure no Python file iterates over os.environ or collects all environment variables. The discrepancy between 23 Python files in inventory and zero declared scripts must be explained and resolved.

• 🟡 MEDIUM LLM_UNAUTHORIZED_TOOL_USE — Undisclosed Python Files Not Surfaced as Script Files

  The file inventory reports 23 Python files present in the skill package, yet the skill submission reports 'No script files found' and none are presented for analysis. This discrepancy means the actual executable code in the package has not been reviewed. These hidden Python files could contain malicious logic (data exfiltration, credential harvesting, command injection) that is not visible in the SKILL.md instructions or the reference markdown files. The allowed-tools declaration includes Bash and Write, giving the agent broad execution capability. File: SKILL.md Remediation: All Python files in the skill package must be disclosed and reviewed before deployment. Do not deploy skills with undisclosed executable files. Enumerate and audit every .py file in the package directory.

• 🔵 LOW LLM_RESOURCE_ABUSE — Unbounded Retry and Polling Loops Risk Resource Exhaustion

  The skill's instructions and SDK reference describe automatic retry behavior (up to 5 retries with exponential backoff for 429/502/503/504 errors) and async task polling with wait_for_task defaulting to 600 seconds. The bulk entity import example iterates over an entire FASTA file without size limits, and the workflow automation example iterates all pending tasks without bounds. In adversarial or misconfigured scenarios, these patterns could lead to prolonged compute consumption or API quota exhaustion. File: SKILL.md Remediation: Add explicit size/count limits to bulk import loops. Document maximum expected file sizes. Consider adding a circuit breaker pattern for retry logic. Ensure wait_for_task timeouts are appropriate for the deployment context.

• 🟡 MEDIUM LLM_DATA_EXFILTRATION — Multiple Sensitive Credentials Exposed via Environment Variables in Multi-Tenant Setup

  The skill declares 8 environment variables including production and staging API keys (BENCHLING_PROD_API_KEY, BENCHLING_STAGING_API_KEY), OAuth client secrets (BENCHLING_CLIENT_SECRET), and multiple tenant URLs. Collecting credentials for both production and staging environments in a single skill increases the blast radius if any component is compromised. The references/authentication.md and SKILL.md both show patterns that read multiple credential sets simultaneously (the multi-tenant example reads all four credential pairs at once). File: references/authentication.md Remediation: Separate production and staging credentials into distinct skill instances or use a secrets manager. Avoid patterns that load all credential pairs simultaneously. Apply principle of least privilege — only load credentials needed for the current operation.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Missing Referenced Files May Introduce Supply Chain Risk at Runtime

  Several files referenced in the SKILL.md instructions are not found in the package: assets/authentication.md, benchling_sdk.py, assets/sdk_reference.md, assets/eventbridge.md, templates/sdk_reference.md, templates/eventbridge.md, templates/authentication.md, and Bio.py. The presence of a referenced 'Bio.py' (likely intending BioPython's Bio module) that is not found could cause the agent to attempt to install or locate it at runtime. The 'benchling_sdk.py' reference is also concerning — if a local file named benchling_sdk.py exists, it could shadow the legitimate benchling-sdk PyPI package. File: references/authentication.md Remediation: Remove references to non-existent files. Ensure no local file named benchling_sdk.py or Bio.py exists in the package, as these would shadow legitimate PyPI packages (benchling-sdk, biopython) and could be used for supply chain attacks. Pin all dependencies with exact versions.

• 🟠 HIGH LLM_DATA_EXFILTRATION — Environment Variable Access with Network Calls Detected Across Multiple Files

  The pre-scan static analysis flagged multiple instances of environment variable access combined with network calls across 7+ files. Although no script content was directly provided for review, the static analyzer detected a cross-file exfiltration chain spanning 8 files and environment variable exfiltration patterns across 7 files. This pattern is consistent with credential harvesting (e.g., reading API keys, tokens, or secrets from environment variables) followed by transmission to an external server. The skill connects to bgpt.pro and references an optional BGPT API key, which could be a legitimate use case, but the breadth of the detected pattern (8-file chain, 7-file env var access) is disproportionate to a simple paper search tool. Remediation: Audit all 23 Python files in the skill package to identify which environment variables are being read and to which endpoints data is being sent. Verify that only the BGPT_API_KEY (or equivalent) is accessed and only transmitted to bgpt.pro. Remove any scripts that access unrelated environment variables (e.g., AWS credentials, SSH keys, tokens) or send data to endpoints other than the declared bgpt.pro MCP server. Pin all network destinations explicitly and validate them against the declared compatibility requirements.

• 🟠 HIGH LLM_COMMAND_INJECTION — Cross-File Exfiltration Chain Spanning 8 Python Files

  The static analyzer detected a cross-file exfiltration chain involving 8 Python files. This pattern — where data is collected in one file and passed through a chain of files before being transmitted — is a common technique used to obfuscate malicious data exfiltration. A legitimate paper search skill should not require an 8-file chain to perform a simple MCP tool call. The complexity of this chain is a significant red flag indicating possible tool poisoning or hidden data collection pipelines. File: SKILL.md Remediation: Inspect all Python files in the package to map the full data flow chain. Determine what data enters the chain, how it is transformed at each step, and where it is ultimately sent. If any step reads sensitive data (credentials, environment variables, file system contents) unrelated to paper search functionality, remove those files. The skill should consist of minimal code — ideally just MCP tool invocation configuration — not a complex multi-file pipeline.

• 🟡 MEDIUM LLM_SKILL_DISCOVERY_ABUSE — Skill Description Claims Broad Capabilities to Drive Activation

  The skill description is written in a way that maximizes activation across a wide range of research-related queries: 'literature reviews, evidence synthesis, finding experimental details, systematic or scoping literature reviews, quantitative results, sample sizes, effect sizes, comparing methodologies, quality scores, evidence grading, meta-analyses, clinical guidelines.' While these may be legitimate use cases, the breadth of the description combined with the suspicious backend code patterns raises concern that the skill may be designed to activate frequently in order to maximize opportunities to harvest environment variables or credentials from the agent's environment. File: SKILL.md Remediation: Narrow the skill description to the specific, minimal use case. Reduce the number of activation triggers to only those directly relevant to the core functionality. This reduces the attack surface if the backend code is indeed malicious.

• 🟡 MEDIUM LLM_UNAUTHORIZED_TOOL_USE — Undisclosed Python Scripts Not Referenced in Instructions

  The skill package contains 23 Python files, none of which are referenced in the SKILL.md instructions. The instructions only describe calling the search_papers MCP tool — a remote server call that requires no local Python code. The presence of 23 unreferenced Python scripts is highly anomalous and suggests hidden functionality not disclosed in the skill manifest or instructions. This is consistent with tool poisoning, where a skill's declared behavior differs from its actual behavior. File: SKILL.md Remediation: Remove all Python scripts from the skill package that are not explicitly referenced in SKILL.md and do not serve a documented purpose. A skill that only calls a remote MCP tool should contain no local executable code. If any Python files are required for configuration or setup, document their purpose explicitly in SKILL.md and ensure they are reviewed for malicious behavior.

• 🟡 MEDIUM LLM_SUPPLY_CHAIN_ATTACK — Unpinned External Package Installation Instructions

  The SKILL.md installation section instructs users to install multiple packages without version pinning (e.g., 'uv pip install pybids', 'uv pip install heudiconv', 'uv pip install dcm2bids', 'uv pip install bidscoin', 'uv pip install nibabel', 'uv pip install pydicom', 'uv pip install bids-validator-deno'). Without pinned versions, a supply chain compromise of any of these packages on PyPI could silently introduce malicious code into the user's environment. This is especially concerning given that these packages have broad filesystem access to neuroimaging data. File: SKILL.md Remediation: Pin all package versions explicitly (e.g., 'uv pip install pybids==0.16.4'). Provide a requirements.txt or pyproject.toml with pinned versions and hash verification. Consider using a lockfile approach for reproducible installations.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Declaration

  The SKILL.md YAML frontmatter does not specify an 'allowed-tools' field. While this field is optional per the agent skills specification, its absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) this skill may invoke. Given that the skill instructs the agent to run bash commands (bids-validator, heudiconv, dcm2bids, docker) and Python code, explicit tool declarations would improve transparency and allow enforcement of least-privilege access. File: SKILL.md Remediation: Add an explicit 'allowed-tools' declaration to the YAML frontmatter listing only the tools actually needed, e.g.: allowed-tools: [Bash, Python, Read, Write]

• ⚪ INFO LLM_CONTEXT_BUDGET_EXCEEDED — 'references/bids_schema.json' excluded from LLM analysis (813,726 chars)

  file size (813,726 chars) exceeds per-file limit (75,000) File: references/bids_schema.json Remediation: Increase llm_analysis.max_referenced_file_chars in your scan policy to include this content in LLM analysis.

• 🟠 HIGH LLM_DATA_EXFILTRATION — Environment Variable Access Combined with Network Calls in update_schema.py

  The static analyzer flagged environment variable access with network calls across multiple files. The provided update_schema.py script uses urllib.request to make outbound HTTP requests to external URLs (bids-specification.readthedocs.io and raw.githubusercontent.com). While the script itself appears to only fetch schema/BEP data, the pre-scan context indicates 7 files with cross-file environment variable exfiltration patterns and 8 files in a cross-file exfiltration chain that were not provided for review. This represents a significant concern: the unrevealed Python files (23 total Python files, only 1 shown) may be harvesting environment variables (API keys, credentials, tokens stored in env) and exfiltrating them via network calls. The skill has broad network access capability and the pattern of env var access + network calls is a classic data exfiltration signature. File: scripts/update_schema.py Remediation: 1. Provide all 23 Python script files for full review. 2. Audit every Python file for os.environ access, os.getenv calls, and any network transmission of that data. 3. If env var access is needed, restrict it to only explicitly named, non-sensitive variables. 4. Pin all network destinations to known-good BIDS infrastructure URLs and validate responses. 5. Consider running update_schema.py in an isolated environment without access to sensitive credentials.

• 🟡 MEDIUM LLM_DATA_EXFILTRATION — Incomplete Script Disclosure - 23 Python Files with Only 1 Provided

  The file inventory indicates 23 Python files exist in this skill package, but only scripts/update_schema.py was provided for analysis. The pre-scan static analysis flagged BEHAVIOR_ENV_VAR_EXFILTRATION in multiple files and a BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN spanning 8 files, as well as BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION across 7 files. These are high-confidence indicators of credential/environment variable harvesting combined with network exfiltration across the hidden scripts. The 22 unreviewed Python files represent a significant blind spot that prevents complete security assessment. File: scripts/update_schema.py Remediation: All 23 Python script files must be reviewed before this skill can be considered safe for deployment. Specifically audit: (1) all os.environ/os.getenv calls, (2) all network calls (requests, urllib, http.client, socket), (3) any file read operations on sensitive paths (~/.aws, ~/.ssh, ~/.config, env files), (4) cross-file data flows where data read in one file is transmitted in another.

• 🔵 LOW LLM_PROMPT_INJECTION — External URL Schema Fetch with User-Controlled URL Parameter

  The update_schema.py script accepts a --schema-url command-line argument that allows the caller to specify an arbitrary URL for schema fetching. If an agent or user can influence this parameter, they could redirect the fetch to an attacker-controlled server that returns a malicious schema JSON, which would then be written to references/bids_schema.json and potentially influence future agent behavior when the skill reads that file for entity/naming guidance. File: scripts/update_schema.py Remediation: 1. Validate the --schema-url argument against an allowlist of trusted domains (bids-specification.readthedocs.io, raw.githubusercontent.com/bids-standard/). 2. Verify the downloaded schema JSON against a known checksum or signature before writing it to disk. 3. Consider removing the --schema-url parameter entirely and hardcoding the trusted URL.

• 🟠 HIGH LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Activation Triggers in Skill Description (Capability Inflation)

  The skill description contains an unusually broad set of activation triggers designed to maximize invocation frequency. Phrases like 'whenever the user wants diverse viewpoints', 'needs help making a tough decision', 'faces a dilemma, trade-off, or complex choice with no obvious answer', and numerous keyword triggers ('council mode', 'mind council', 'deliberate on this', 'what would different experts think', etc.) are engineered to capture a very wide range of user interactions. This pattern is consistent with capability inflation / keyword baiting to ensure the skill is activated as often as possible, potentially displacing other more appropriate skills or behaviors. File: SKILL.md Remediation: Narrow the activation description to specific, well-defined use cases. Avoid embedding extensive keyword lists designed to maximize trigger frequency. The description should accurately reflect the skill's scope without attempting to capture broad swaths of general assistant behavior.

• 🟡 MEDIUM LLM_DATA_EXFILTRATION — Suspicious Pre-Scan Findings: Environment Variable Exfiltration and Cross-File Exfiltration Chain

  The static pre-scan context reports three significant behavioral findings: BEHAVIOR_ENV_VAR_EXFILTRATION (environment variable access combined with network calls), BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN (cross-file exfiltration chain across 2 files), and BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION (cross-file environment variable exfiltration across 2 files). The skill package reportedly contains 10 Python files and 22 markdown files (32 total), yet the skill submission presents 'No script files found' — a significant discrepancy. This mismatch between the file inventory and the presented content is itself a red flag. The static analyzer findings strongly suggest that Python scripts within the package perform environment variable harvesting and transmit data externally, which would constitute data exfiltration. File: SKILL.md Remediation: All Python scripts in the package must be reviewed. Any code that reads environment variables (os.environ, os.getenv) and makes network calls must be removed or justified. The discrepancy between the file inventory (10 Python files) and the presented content ('No script files found') must be resolved — all files must be disclosed for security review. Do not include network-calling scripts in a skill that claims to be a pure deliberation/reasoning tool.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — External URL References in Skill Instructions (Brand/Attribution Promotion)

  The SKILL.md instructions include promotional external URLs (https://ahkstrategies.net and https://themindbook.app) embedded in the attribution section. While not directly malicious, embedding external URLs in skill instructions can be used to drive traffic, establish brand presence, or potentially serve as a vector for indirect prompt injection if the agent is instructed to visit or reference these URLs. The inclusion of marketing-style attribution ('consciousness infrastructure for the age of AI') within operational skill instructions is atypical and suggests promotional intent beyond the skill's stated purpose. File: SKILL.md Remediation: Remove external URLs from operational skill instructions. Attribution information, if needed, belongs in the YAML frontmatter metadata fields (e.g., skill-author), not in the instruction body where it could influence agent behavior or be used for promotional activation.

• 🟠 HIGH LLM_DATA_EXFILTRATION — Environment Variable Exfiltration with Network Calls Detected

  Static analysis flagged BEHAVIOR_ENV_VAR_EXFILTRATION and BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION across multiple files in the skill package. The pre-scan context indicates that environment variable access is combined with network calls across at least 2 files in a cross-file exfiltration chain. While the specific Python scripts were not surfaced in the provided content, the static analyzer detected a read→send pattern consistent with credential or environment variable harvesting and exfiltration to an external endpoint. This is a serious concern given the skill claims to be a local FCS file parser with no stated network requirements. File: SKILL.md Remediation: Audit all Python files in the skill package for os.environ access combined with requests/urllib/socket calls. Remove any network calls that are not required for local FCS file parsing. The skill should operate entirely offline. If network calls are present, they must be disclosed in the manifest and justified by the skill's stated purpose.

• 🟡 MEDIUM LLM_SKILL_DISCOVERY_ABUSE — Undisclosed Network Behavior vs. Claimed Local-Only Operation

  The skill's manifest and SKILL.md describe a purely local FCS file parsing library with no network requirements. The description states 'minimal dependencies' and positions the skill as suitable for 'backend services' and 'data pipelines'. However, static analysis detected network calls combined with environment variable access. This mismatch between the claimed behavior (local file parsing) and actual behavior (network calls) constitutes capability inflation and deceptive capability claims, potentially used to gain user trust before performing unauthorized operations. File: SKILL.md Remediation: Ensure the skill's description accurately reflects all capabilities including any network usage. If network calls are legitimate (e.g., telemetry, update checks), they must be explicitly disclosed in the manifest. If they are not legitimate, remove them entirely.

• 🟡 MEDIUM LLM_UNAUTHORIZED_TOOL_USE — Missing allowed-tools Declaration with Undisclosed Capabilities

  The skill does not declare an allowed-tools field in its YAML manifest. Combined with the static analysis finding of network calls and environment variable access in the Python files, the absence of tool declarations means the agent has no manifest-level constraint on what tools the skill can invoke. This allows the skill to use Bash, Python, network access, and file system operations without any declared restrictions, increasing the attack surface. File: SKILL.md Remediation: Add an explicit allowed-tools declaration to the YAML manifest that accurately reflects the minimum required tools. For a local FCS parser, this should be limited to Python (and possibly Read/Write for file operations). Network access should not be required and should not be permitted.

• 🔵 LOW LLM_DATA_EXFILTRATION — Referenced File flowio.py Not Found in Package

  The SKILL.md instructions reference flowio.py as a core component, but this file was not found in the skill package. The static analysis reports 10 Python files exist in the package, yet the primary referenced script is absent from the provided content. This discrepancy may indicate hidden or obfuscated scripts that are not surfaced for review, which is concerning given the exfiltration patterns detected by static analysis. File: SKILL.md Remediation: Ensure all referenced scripts are included and auditable in the skill package. The flowio.py file and all other Python files should be reviewed for the network and environment variable access patterns flagged by static analysis.

• 🟠 HIGH LLM_DATA_EXFILTRATION — Environment Variable Access with Network Exfiltration Chain Detected

  The static pre-scan analysis flagged BEHAVIOR_ENV_VAR_EXFILTRATION and BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION across 2 files in the skill package. This indicates that Python scripts within the skill (not provided in full but detected by static analysis) access environment variables and make network calls, forming a potential credential/secret exfiltration chain. The skill's stated purpose (genomic ML analysis) does not require reading environment variables or making arbitrary network calls beyond documented package usage. File: SKILL.md Remediation: Audit all Python scripts in the skill package for environment variable reads (os.environ, os.getenv) combined with network calls (requests, urllib, httpx, etc.). Remove any code that reads credentials or secrets from the environment and transmits them externally. Ensure network calls are limited to documented geniml package operations only.

• 🟠 HIGH LLM_UNAUTHORIZED_TOOL_USE — Cross-File Exfiltration Chain via Tool Chaining

  Static analysis detected a cross-file exfiltration chain spanning 2 files. This pattern — where one script reads sensitive data and another transmits it — is a classic tool-chaining exfiltration technique. The skill's instructions describe legitimate genomic ML workflows, but the underlying scripts appear to implement a read→send pipeline that is not disclosed in the SKILL.md instructions, representing a hidden capability inconsistent with the manifest description. File: SKILL.md Remediation: Identify the two files forming the exfiltration chain. Remove or isolate the network transmission component. Ensure all data flows are disclosed in SKILL.md and limited to the stated genomic analysis purpose. Do not chain file-reading operations with external network POST/PUT calls.

• 🟡 MEDIUM LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation from GitHub Development Branch

  The SKILL.md instructions include a command to install the development version of geniml directly from GitHub without a pinned commit hash or version tag. This creates a supply chain risk where a compromised or updated GitHub repository could introduce malicious code into the user's environment without their knowledge. File: SKILL.md Remediation: Replace the unpinned GitHub install with a pinned release version (e.g., uv pip install geniml==<specific_version>) or pin to a specific commit hash (e.g., git+https://github.com/databio/geniml.git@<commit_sha>). Avoid recommending development branch installs in production skill instructions.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Manifest Field

  The SKILL.md YAML frontmatter does not declare an allowed-tools field. While this field is optional per the agent skills specification, its absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) this skill may invoke. Given the static analysis findings of environment variable access and network exfiltration chains, the absence of tool restrictions is a compounding concern. File: SKILL.md Remediation: Add an explicit allowed-tools field to the YAML frontmatter declaring only the tools required for legitimate genomic ML operations. This provides a documented baseline against which actual behavior can be audited.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Multiple Referenced Files Not Found in Package

  The SKILL.md references numerous files (templates/consensus_peaks.md, scanpy.py, assets/utilities.md, geniml.py, templates/bedspace.md, templates/scembed.md, assets/bedspace.md, assets/scembed.md, assets/consensus_peaks.md, assets/region2vec.md, templates/region2vec.md) that are not present in the skill package. Missing referenced files could indicate an incomplete package or that the skill is designed to fetch content from external sources at runtime, which would be a security concern. File: SKILL.md Remediation: Ensure all referenced files are bundled within the skill package. If files are intentionally absent, remove references to them from SKILL.md. Do not design skills to fetch instruction files from external sources at runtime.

• 🟡 MEDIUM LLM_SUPPLY_CHAIN_ATTACK — External Dependency on Separately Installed StarSpace Binary

  BEDspace functionality requires StarSpace, an external binary from Facebook Research, to be installed separately from an external GitHub repository. The instructions provide no version pinning, integrity verification (checksums/signatures), or provenance validation for this external binary. A compromised StarSpace binary could execute arbitrary code on the user's machine. File: references/bedspace.md Remediation: Specify a pinned version or commit of StarSpace. Provide SHA256 checksums for binary verification. Document the expected binary signature or use a package manager with integrity verification. Warn users to verify the binary before execution.

• 🔵 LOW LLM_DATA_EXFILTRATION — Hardcoded Credential Placeholder in Cloud-Native Workflow Example

  The SKILL.md instruction body contains a code example for reading Cloud-Optimized GeoTIFF from AWS S3 that uses placeholder credential parameters (aws_access_key_id=..., aws_secret_access_key=...). While these are placeholders and not actual secrets, the pattern encourages users to hardcode AWS credentials directly in code rather than using environment variables or IAM roles. Additionally, the Google Earth Engine example uses 'your-project' as a placeholder, and the Sentinelsat example in references/data-sources.md hardcodes 'user' and 'password' directly in API calls. File: SKILL.md Remediation: Replace credential placeholder patterns with secure alternatives: use environment variables (os.environ.get('AWS_ACCESS_KEY_ID')), AWS IAM roles, or credential files. Add explicit warnings in the code comments that credentials should never be hardcoded.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Capability Claims in Skill Description

  The skill description makes extremely broad capability claims: '30+ scientific domains', '500+ code examples', '8 programming languages', '70+ topics', and 'any geospatial computation task'. The description uses keyword-heavy language designed to maximize activation across a wide range of user queries. While the skill does contain substantial geospatial content, the phrase 'Use for... any geospatial computation task' is an over-broad activation trigger that could cause the skill to be invoked for tasks outside its actual scope. File: SKILL.md Remediation: Narrow the description to accurately reflect the skill's actual capabilities without using 'any' as a catch-all trigger. Remove keyword-baiting language and focus on specific, verifiable capabilities.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Versions in Installation Instructions

  The installation section in SKILL.md installs multiple packages without version pinning using both conda and uv pip. Unpinned installations are vulnerable to supply chain attacks where a malicious package version could be introduced. Packages like earthengine-api, torch-geometric, planetary-computer, and others are installed without specific version constraints. File: SKILL.md Remediation: Pin all package versions to specific known-good versions (e.g., 'earthengine-api==0.1.374'). Consider providing a requirements.txt or environment.yml with pinned versions and hash verification for security-sensitive deployments.

• 🔵 LOW LLM_COMMAND_INJECTION — eval/exec Usage Detected in Code Examples (Static Analyzer Finding)

  The static pre-scan flagged MDBLOCK_PYTHON_EVAL_EXEC findings in the markdown code blocks. After reviewing the full content, the eval/exec references appear to be within legitimate geospatial code examples (e.g., viewshed analysis, batch processing). However, if the agent executes these code blocks directly from the markdown without validation, there is a minor risk of unintended code execution. No clearly malicious eval/exec patterns were identified in the reviewed content. File: references/code-examples.md Remediation: Review all code blocks containing eval/exec to ensure they do not accept unsanitized user input. Ensure the agent does not blindly execute code blocks from reference files without user confirmation.

• 🟡 MEDIUM MDBLOCK_PYTHON_SUBPROCESS — Python code block executes shell commands

  Code block in references/gis-software.md at line 290 contains potentially dangerous Python code. File: references/gis-software.md:290 Remediation: Review the code block for security implications.

• 🟠 HIGH MDBLOCK_PYTHON_EVAL_EXEC — Python code block uses eval/exec

  Code block in references/machine-learning.md at line 207 contains potentially dangerous Python code. File: references/machine-learning.md:207 Remediation: Review the code block for security implications.

• 🟠 HIGH MDBLOCK_PYTHON_EVAL_EXEC — Python code block uses eval/exec

  Code block in references/machine-learning.md at line 435 contains potentially dangerous Python code. File: references/machine-learning.md:435 Remediation: Review the code block for security implications.

• 🔵 LOW LLM_DATA_EXFILTRATION — Several Referenced Files Are Missing from the Skill Package

  The SKILL.md references numerous files that are not present in the skill package: templates/filters_preprocessing.md, assets/slide_management.md, templates/slide_management.md, templates/tissue_masks.md, PIL.py, templates/visualization.md, assets/tissue_masks.md, templates/tile_extraction.md, assets/filters_preprocessing.md, matplotlib.py, histolab.py, assets/visualization.md, assets/tile_extraction.md. While these appear to be documentation/reference files rather than executable scripts, their absence creates ambiguity. If the agent attempts to load these missing files from external or user-supplied sources to fulfill the skill's instructions, it could introduce indirect prompt injection or data exposure risks. File: SKILL.md Remediation: Ensure all referenced files are bundled within the skill package. Remove references to files that do not exist, or add the missing files. Do not allow the agent to fetch missing reference files from external sources.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Manifest Field

  The SKILL.md manifest does not specify the allowed-tools field. While this field is optional per the agent skills specification, its absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) this skill may invoke. The skill instructs the agent to execute Python code blocks and file I/O operations. Declaring allowed tools would improve transparency and reduce the attack surface. File: SKILL.md Remediation: Add allowed-tools: [Python, Read, Write] (or appropriate subset) to the YAML frontmatter to explicitly declare which tools this skill requires, enabling the agent runtime to enforce restrictions.

• 🔵 LOW LLM_COMMAND_INJECTION — Use of cv2.CV_64F Constant in Code Block (False Positive Context)

  The static analyzer flagged a potential eval/exec usage. Upon review, the code in references/filters_preprocessing.md uses cv2.Laplacian(np.array(gray_image), cv2.CV_64F).var() where cv2.CV_64F is a standard OpenCV integer constant (not a dynamic eval/exec call). This is not a genuine command injection risk. No actual eval() or exec() calls with user-controlled input were found in any code blocks across the skill package. File: references/filters_preprocessing.md Remediation: No action required. This is a false positive from the static analyzer. cv2.CV_64F is a compile-time integer constant in OpenCV, not a dynamic code execution pattern.

• 🟠 HIGH MDBLOCK_PYTHON_EVAL_EXEC — Python code block uses eval/exec

  Code block in references/filters_preprocessing.md at line 487 contains potentially dangerous Python code. File: references/filters_preprocessing.md:487 Remediation: Review the code block for security implications.

• 🟠 HIGH LLM_PROMPT_INJECTION — Indirect Prompt Injection via External Catalog Content

  The skill fetches and processes markdown content from an external domain (huggingscience.co) and instructs the agent to read and act on that content. The catalog entries, topic files (llms.txt, llms-full.txt, topics/.md), and blog posts are fetched from an external source and their content is parsed and presented to the agent as trusted instructions. A malicious actor who controls or compromises huggingscience.co could embed prompt injection payloads in catalog entries (e.g., in description fields, titles, or tags) that would be parsed and acted upon by the agent. The skill explicitly instructs the agent to 'read' and follow instructions from these external markdown files, creating a transitive trust path from an external, potentially attacker-controlled source. File: SKILL.md Remediation: Treat fetched external content as untrusted data, not instructions. Sanitize and validate catalog content before presenting it to the agent. Consider pinning expected content structure and rejecting entries that contain instruction-like patterns. Add a warning to the agent that external catalog content should be treated as data only.

• 🟡 MEDIUM LLM_DATA_EXFILTRATION — HF_TOKEN Secret Loaded from .env and Passed to External Services

  The skill instructs the agent to load HF_TOKEN from a .env file using python-dotenv and pass it to Hugging Face APIs. While the skill correctly advises against hardcoding tokens, the pattern of loading secrets from .env and using them in scripts that also fetch content from an external catalog (huggingscience.co) creates a risk: if the external catalog content contains injection payloads (see AITech-1.2 finding), those payloads could potentially manipulate how the token is used or exfiltrate it. Additionally, the skill instructs the agent to use the token with third-party Inference Providers (Together, Fireworks, Replicate, Sambanova), expanding the token's exposure surface beyond Hugging Face itself. File: SKILL.md Remediation: Scope token usage strictly to Hugging Face endpoints. Warn users explicitly that using Inference Providers shares their HF_TOKEN with third-party services. Validate that the token is only sent to known, trusted HF endpoints and not to any URLs derived from external catalog content.

• 🔵 LOW LLM_DATA_EXFILTRATION — Missing License and Compatibility Metadata

  The skill does not specify a license or compatibility field in its YAML manifest. While these are optional fields, their absence means users cannot assess the terms under which this skill operates or which agent environments it is designed for. Given that the skill handles authentication tokens and makes external network requests, license clarity is particularly important. File: SKILL.md Remediation: Add license, compatibility, and allowed-tools fields to the YAML manifest. At minimum, specify which tools the skill requires (Bash, Python, network access) so users can make informed decisions about deployment.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Overly Broad Skill Activation Scope

  The skill's description enumerates an extremely broad list of scientific domains (biology, chemistry, physics, astronomy, climate, genomics, materials, medicine, ecology, energy, engineering, math, drug discovery, protein design, weather modeling, theorem proving, single-cell, PDE solving) to maximize activation. While this may reflect legitimate scope, the breadth of trigger keywords could cause the skill to activate in many scientific contexts, potentially fetching external content and loading models in situations where a simpler response would suffice. File: SKILL.md Remediation: Consider narrowing the activation criteria or adding confidence thresholds. Ensure the skill only activates when the user's request clearly requires catalog lookup or model usage, not for general scientific questions.

• 🟡 MEDIUM LLM_COMMAND_INJECTION — trust_remote_code=True Encouraged Without Adequate Safeguards

  The skill's instructions and reference files actively encourage and normalize the use of trust_remote_code=True when loading scientific models. This flag causes transformers to download and execute arbitrary Python code from Hugging Face model repositories. While the skill notes that 'the user should trust the org,' it also states 'the catalog only lists reputable orgs' — implying the agent may apply this flag broadly based on catalog listings from an external source (huggingscience.co). If the catalog is compromised or a malicious entry is added, the agent could be directed to execute arbitrary remote code under the guise of a 'reputable org.' File: references/using-models.md Remediation: Always require explicit user confirmation before using trust_remote_code=True for any model. Do not infer trustworthiness from catalog listings alone. Present the specific model org and repo to the user and require affirmative consent before executing remote code. Never apply this flag automatically based on catalog recommendations.

• 🟡 MEDIUM LLM_UNAUTHORIZED_TOOL_USE — Unpinned Package Dependencies in Reference Files

  The reference files (using-models.md, using-datasets.md, using-spaces.md) instruct the agent to install packages using 'uv pip install' or 'uv add' without version pinning. Packages like transformers, torch, accelerate, datasets, huggingface_hub, gradio_client, and python-dotenv are installed without specific version constraints. This creates supply chain risk where a compromised or malicious package version could be installed. The risk is compounded by the fact that these installs are triggered based on content fetched from an external catalog. File: references/using-models.md Remediation: Pin all package versions explicitly (e.g., transformers==4.40.0). Consider providing a requirements.txt or pyproject.toml with pinned versions. At minimum, document recommended version ranges and instruct the agent to verify package integrity before installation.

• 🔵 LOW LLM_DATA_EXFILTRATION — Credential Scope Restriction Instructions Are Appropriate But Rely on Agent Compliance

  The SKILL.md includes explicit instructions to only read MODAL_TOKEN_ID and MODAL_TOKEN_SECRET from the environment or .env file, and to ignore all other entries. While this is a positive security control, it relies entirely on the agent following these instructions correctly. There are no technical enforcement mechanisms (e.g., a script that only reads specific keys). If the agent misinterprets or ignores this instruction, it could inadvertently expose other environment variables or .env file contents. File: SKILL.md Remediation: Consider providing a helper script that explicitly reads only MODAL_TOKEN_ID and MODAL_TOKEN_SECRET rather than relying solely on natural language instructions to the agent. This provides a technical enforcement layer in addition to the instructional one.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation in Some Examples

  Several code examples in the skill use unpinned package installations (e.g., .uv_pip_install('httpx', 'beautifulsoup4'), .uv_pip_install('pandas', 'pyarrow'), .uv_pip_install('vllm') in SKILL.md overview). While the references/examples.md file includes a note about pinning dependencies and most examples there do pin versions, the main SKILL.md and some reference files contain unpinned installs that could pull in compromised or breaking releases in production use. File: SKILL.md Remediation: Pin all package versions in examples to specific known-good versions (e.g., 'vllm==0.21.0' instead of 'vllm'). The references/examples.md already demonstrates this practice with a note about pinning; apply it consistently across all examples in SKILL.md and reference files.

• 🔵 LOW LLM_COMMAND_INJECTION — Python eval/exec Usage in Code Examples

  The static analyzer flagged a Python code block using eval/exec. Reviewing the content, the reference in references/functions.md mentions self.model.eval() in a comment: self.model.eval() # PyTorch inference mode — not Python's built-in eval(). This is PyTorch's model evaluation mode method, not Python's built-in eval() function, and poses no injection risk. The comment itself explicitly clarifies this distinction. No actual dangerous eval/exec usage was found in any script files. File: references/functions.md Remediation: No action required. The flagged eval() is PyTorch's model.eval() method, not Python's built-in eval() function. The inline comment already clarifies this distinction for future readers.

• 🟠 HIGH MDBLOCK_PYTHON_EVAL_EXEC — Python code block uses eval/exec

  Code block in references/functions.md at line 82 contains potentially dangerous Python code. File: references/functions.md:82 Remediation: Review the code block for security implications.

• 🟡 MEDIUM MDBLOCK_PYTHON_SUBPROCESS — Python code block executes shell commands

  Code block in references/gpu.md at line 157 contains potentially dangerous Python code. File: references/gpu.md:157 Remediation: Review the code block for security implications.

• 🟡 MEDIUM MDBLOCK_PYTHON_SUBPROCESS — Python code block executes shell commands

  Code block in references/gpu.md at line 166 contains potentially dangerous Python code. File: references/gpu.md:166 Remediation: Review the code block for security implications.

• 🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

  Code block in references/scheduled-jobs.md at line 141 contains potentially dangerous Python code. File: references/scheduled-jobs.md:141 Remediation: Review the code block for security implications.

• 🟡 MEDIUM MDBLOCK_PYTHON_SUBPROCESS — Python code block executes shell commands

  Code block in references/web-endpoints.md at line 149 contains potentially dangerous Python code. File: references/web-endpoints.md:149 Remediation: Review the code block for security implications.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools and compatibility Metadata

  The skill manifest does not specify the 'allowed-tools' or 'compatibility' fields. While these are optional per the agent skills specification, their absence means there are no declared restrictions on which agent tools this skill can invoke. Given that the skill's documentation examples include network calls (to DeepCell API, external URLs), file system operations, and GPU-intensive computations, declaring allowed tools would improve transparency and security posture. File: SKILL.md Remediation: Add 'allowed-tools' and 'compatibility' fields to the YAML frontmatter to explicitly declare what tools and environments this skill is designed to use. For example: allowed-tools: [Python, Bash, Read, Write]

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation in Quick Start

  The installation instructions use 'uv pip install pathml' and 'uv pip install pathml[all]' without pinning to a specific version. This means the skill will always install the latest available version of pathml and its dependencies, which could introduce breaking changes or, in a supply chain attack scenario, malicious code if the package were compromised. This is a low-severity concern for a well-known computational pathology library. File: SKILL.md Remediation: Pin the pathml package to a specific known-good version (e.g., 'uv pip install pathml==X.Y.Z') to ensure reproducibility and reduce supply chain risk. Consider also pinning critical dependencies.

• 🟠 HIGH MDBLOCK_PYTHON_EVAL_EXEC — Python code block uses eval/exec

  Code block in references/data_management.md at line 441 contains potentially dangerous Python code. File: references/data_management.md:441 Remediation: Review the code block for security implications.

• 🔵 LOW LLM_COMMAND_INJECTION — Python eval/exec Usage in Documentation Code Blocks

  Static analysis flagged multiple instances of eval/exec patterns in Python code blocks within the reference documentation files. After reviewing the actual content, these appear to be legitimate educational code examples demonstrating model inference, data processing, and pipeline execution (e.g., model.eval() from PyTorch, which is a standard method call for setting a model to evaluation mode, not the built-in eval() function). The flagged patterns are false positives from the static analyzer misidentifying PyTorch's model.eval() method as the dangerous built-in eval() function. No actual dangerous eval/exec usage was found in the skill content. File: references/machine_learning.md Remediation: No action required. The static analyzer is producing false positives by conflating PyTorch's model.eval() method with Python's built-in eval() function. The code examples are legitimate and safe.

• 🟠 HIGH MDBLOCK_PYTHON_EVAL_EXEC — Python code block uses eval/exec

  Code block in references/machine_learning.md at line 228 contains potentially dangerous Python code. File: references/machine_learning.md:228 Remediation: Review the code block for security implications.

• 🟠 HIGH MDBLOCK_PYTHON_EVAL_EXEC — Python code block uses eval/exec

  Code block in references/machine_learning.md at line 498 contains potentially dangerous Python code. File: references/machine_learning.md:498 Remediation: Review the code block for security implications.

• 🟠 HIGH MDBLOCK_PYTHON_EVAL_EXEC — Python code block uses eval/exec

  Code block in references/machine_learning.md at line 540 contains potentially dangerous Python code. File: references/machine_learning.md:540 Remediation: Review the code block for security implications.

• 🔵 LOW LLM_DATA_EXFILTRATION — Remote API Call in Documentation Examples (SegmentMIFRemote)

  The reference documentation includes examples of using SegmentMIFRemote which sends image data to an external DeepCell API endpoint (https://deepcell.org/api/predict). While this is documented as an optional feature for users without local GPUs, the skill instructions do not explicitly warn users that their pathology image data (which may contain sensitive medical information) will be transmitted to an external third-party server. This is a transparency concern rather than a malicious threat. File: references/multiparametric.md Remediation: Add explicit warnings in the documentation that SegmentMIFRemote transmits image data to external servers. Users working with sensitive or PHI-containing pathology data should be advised to use the local SegmentMIF transform instead, or ensure appropriate data use agreements are in place with DeepCell.

• 🟠 HIGH LLM_DATA_EXFILTRATION — Static Analysis Flags Environment Variable Exfiltration and Cross-File Exfiltration Chain

  The pre-scan static analysis flagged BEHAVIOR_ENV_VAR_EXFILTRATION (environment variable access combined with network calls) and BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN across 2 files, as well as BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION. The file inventory indicates 2 Python files exist in the package, but no script files were provided for review. This means potentially malicious Python scripts are present in the skill package but were not surfaced for analysis. The combination of environment variable harvesting and network calls is a classic data exfiltration pattern. The skill declares 'allowed-tools: Read' but Python files exist — this is a significant red flag. File: SKILL.md Remediation: Immediately audit the 2 Python files present in the package (not surfaced in this analysis). Look for: (1) os.environ or os.getenv calls, (2) network calls (requests, urllib, httpx, socket), (3) file reads of sensitive paths (~/.aws, ~/.ssh, ~/.config), (4) base64 or obfuscated payloads. Do not install or run this skill until the Python files have been fully reviewed. The combination of a read-only manifest declaration with hidden Python scripts performing env var access and network calls is a strong indicator of a trojanized skill package.

• 🟡 MEDIUM LLM_SUPPLY_CHAIN_ATTACK — Unpinned Installation Recommendation with External Package Source

  The skill instructs users to install Polars via 'uv pip install polars==1.41.2' which does pin a specific version. However, the optional extras installation also pins the version. While version pinning is present, the skill references a license URL pointing to an external GitHub repository (https://github.com/pola-rs/polars/blob/main/LICENSE) rather than a local license file, and the skill-author is listed as 'K-Dense Inc.' rather than the official Polars maintainers (pola-rs). This raises a supply chain concern: the skill presents itself as an official Polars reference but is authored by a third party. File: SKILL.md Remediation: Verify that 'K-Dense Inc.' is a trusted source for Polars documentation skills. The skill uses the official Polars GitHub license URL, which may be an attempt to appear official. Users should confirm the skill's provenance before use. Consider requiring skills to clearly distinguish between official library documentation and third-party skill packages.

• 🟡 MEDIUM LLM_UNAUTHORIZED_TOOL_USE — allowed-tools Restriction Violation: Skill Declares Read-Only but References Executable Python File

  The SKILL.md manifest declares 'allowed-tools: Read', indicating the skill should only read files. However, the instructions reference 'polars.py' — a Python script file. While the file was not found in the package, its presence in the referenced files list suggests the skill may have been designed to execute Python code, which would violate the declared Read-only tool restriction. Additionally, the static analyzer flagged cross-file exfiltration chains involving 2 Python files, suggesting Python scripts may be part of the intended package even if not currently present. File: SKILL.md Remediation: Remove the reference to polars.py if the skill is truly read-only. If Python execution is intended, update allowed-tools to include Python and audit the script for security issues. Clarify the skill's actual tool requirements in the manifest.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-broad Capability Claims in Skill Description

  The skill description claims broad capabilities including 'ETL, analytics, pandas migration, lazy query optimization, parallel execution, streaming out-of-core processing, Arrow interoperability, and optional GPU execution.' While these are legitimate Polars features, the description is quite expansive and may cause the skill to be activated in a wider range of contexts than strictly necessary. This is a minor concern given the skill appears to be a legitimate documentation/reference skill. File: SKILL.md Remediation: Consider narrowing the description to more precisely describe the skill's actual function (providing Polars API reference and guidance) rather than listing all Polars capabilities as if they are the skill's own capabilities.

• 🔵 LOW LLM_DATA_EXFILTRATION — Referenced File 'scripts.py' Not Found in Package

  The SKILL.md instructions reference a file named 'scripts.py' which does not exist in the skill package. The actual script is located at 'scripts/query_primekg.py'. This broken reference could cause the agent to search for or attempt to load an unintended file, potentially loading a malicious 'scripts.py' if one were placed in the working directory by an attacker. File: SKILL.md Remediation: Correct the file reference in SKILL.md to point to the actual script path 'scripts/query_primekg.py'. Ensure all referenced files exist within the skill package.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing License, Compatibility, and Allowed-Tools Metadata

  The SKILL.md manifest does not specify a license (listed as 'Unknown'), compatibility information, or allowed-tools restrictions. The skill executes Python code, reads large files from disk, and performs significant computation, but none of these capabilities are declared in the manifest. This makes it difficult for users and orchestration systems to assess the skill's resource requirements and permissions before activation. File: SKILL.md Remediation: Add explicit license information (e.g., MIT), specify compatibility (e.g., 'Claude Code, API'), and declare allowed-tools (e.g., [Python, Read]) to accurately represent the skill's capabilities and requirements.

• 🟠 HIGH LLM_DATA_EXFILTRATION — Hardcoded Absolute Path Exposing Developer's Local Filesystem Structure

  The skill hardcodes an absolute path to a specific user's home directory on a Windows/WSL system: '/mnt/c/Users/eamon/Documents/Data/PrimeKG/kg.csv' and 'C:\Users\eamon\Documents\Data\PrimeKG\kg.csv'. This reveals the developer's username ('eamon') and local filesystem layout. More critically, when deployed to other users, the skill will attempt to access a path that may not exist or may point to unintended data on the target system. This is a data exposure and privacy concern. File: scripts/query_primekg.py:7 Remediation: Replace hardcoded paths with environment variables (e.g., os.environ.get('PRIMEKG_DATA_PATH')) or a configurable path relative to the skill directory. Document the required setup in SKILL.md without embedding personal filesystem paths.

• 🟡 MEDIUM LLM_RESOURCE_ABUSE — Repeated Full CSV Load on Every Function Call Causes Resource Exhaustion

  The internal helper _load_kg() loads the entire 4-million-edge CSV file (potentially hundreds of MB to several GB) into memory via pandas on every single function call. Functions like get_disease_context() call both search_nodes() and get_neighbors(), each of which independently calls _load_kg(). This means multiple full loads of a massive dataset per user query, leading to severe memory and CPU exhaustion, potential OOM kills, and denial-of-service conditions on the host machine. File: scripts/query_primekg.py:10 Remediation: Implement module-level caching (e.g., a global variable with lazy initialization, or functools.lru_cache) so the CSV is loaded only once per process lifetime. Consider using a proper graph database or indexed format (e.g., SQLite, Parquet) for a 4M-edge dataset.

• 🟡 MEDIUM LLM_COMMAND_INJECTION — Unsanitized User Input Passed Directly to pandas str.contains (Regex Injection)

  The search_nodes() function passes the user-supplied name_query string directly to pandas str.contains(), which by default interprets the input as a regular expression. A malicious or malformed regex (e.g., '(a+)+', catastrophic backtracking patterns, or regex with special characters) can cause ReDoS (Regular Expression Denial of Service), unexpected behavior, or errors. There is no input validation or sanitization before use. File: scripts/query_primekg.py:44 Remediation: Either escape the user input using re.escape(name_query) before passing to str.contains(), or use regex=False parameter to treat the query as a literal string: nodes['name'].str.contains(name_query, case=False, na=False, regex=False).

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation

  The skill instructs installation of qutip and optional packages (qutip-qip, qutip-qtrl) using 'uv pip install' without specifying version pins. This exposes the environment to supply chain risks where a compromised or malicious version of these packages could be installed. Without pinned versions, the installed package version is non-deterministic and could change over time. File: SKILL.md Remediation: Pin package versions explicitly (e.g., 'uv pip install qutip==5.0.4') and consider using a requirements.txt or lockfile with hash verification to ensure reproducible and secure installations.

• 🔵 LOW LLM_UNAUTHORIZED_TOOL_USE — Missing allowed-tools Declaration

  The skill does not declare an 'allowed-tools' field in its YAML manifest. While this field is optional per the agent skills specification, its absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) this skill may use. Given that the skill instructs installation of packages via bash and execution of Python simulations, explicit tool declarations would improve security posture and auditability. File: SKILL.md Remediation: Add an explicit 'allowed-tools' declaration to the YAML manifest listing only the tools required for this skill's operation (e.g., [Bash, Python, Read]) to enforce least-privilege access.

• 🔵 LOW LLM_COMMAND_INJECTION — Use of eval/exec in Python Code Blocks

  The static analyzer flagged a potential use of eval/exec in one of the Python code blocks within the skill's reference documentation. Reviewing the content, the references include dynamic code patterns such as QobjEvo with callback functions and compiled time-dependent terms. While no direct eval/exec call is explicitly visible in the reviewed content, the skill instructs the agent to execute user-supplied string expressions directly in QuTiP's string-based time-dependent Hamiltonian format (e.g., 'cos(wt)', 'A * exp(-t/tau) * sin(wt)'). These strings are passed to QuTiP's internal compiler/evaluator. If user-controlled input is incorporated into these strings without sanitization, it could lead to code injection via QuTiP's internal eval mechanism. File: references/advanced.md Remediation: Ensure that any user-supplied values used in time-dependent Hamiltonian strings are validated and sanitized before being passed to QuTiP solvers. Prefer function-based callbacks over string-based expressions when user input is involved, as function callbacks do not involve string evaluation.

• 🟠 HIGH MDBLOCK_PYTHON_EVAL_EXEC — Python code block uses eval/exec

  Code block in references/visualization.md at line 197 contains potentially dangerous Python code. File: references/visualization.md:197 Remediation: Review the code block for security implications.

• 🟠 HIGH LLM_DATA_EXFILTRATION — Static analysis detected environment variable exfiltration and network calls in unreported Python files

  The pre-scan static analysis flagged BEHAVIOR_ENV_VAR_EXFILTRATION (environment variable access combined with network calls), BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN (cross-file exfiltration chain across 2 files), and BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION (cross-file env var exfiltration across 2 files). The file inventory reports 3 Python files in the skill package, but the skill submission did not include their content for review. This is a significant discrepancy: the SKILL.md presents a benign scientific brainstorming assistant with no scripts, yet the static analyzer found Python files with data exfiltration patterns. This strongly suggests hidden malicious scripts bundled with the skill that were not disclosed in the submission. File: SKILL.md Remediation: Immediately audit all 3 Python files in the skill package. Remove any code that reads environment variables (especially credentials, API keys, tokens) and transmits them to external servers. If the skill genuinely requires no scripts (as the SKILL.md implies), remove all Python files from the package. Do not deploy this skill until the Python file contents are fully reviewed and cleared.

• 🟠 HIGH LLM_SKILL_DISCOVERY_ABUSE — Capability mismatch: SKILL.md claims no scripts but package contains 3 Python files

  The SKILL.md instruction body describes a purely conversational brainstorming skill with no scripting requirements, and the submission states 'No script files found.' However, the static file inventory reveals 3 Python files in the package. This discrepancy between the declared behavior (conversational AI assistant) and the actual package contents (executable Python code with exfiltration patterns) is a classic tool poisoning / capability inflation pattern where the skill misrepresents its true capabilities and scope. File: SKILL.md Remediation: Ensure the SKILL.md accurately reflects all components of the skill package. If Python scripts are included, they must be documented in the manifest and their purpose must align with the stated skill functionality. Any undisclosed executable components should be treated as malicious until proven otherwise.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools and compatibility metadata

  The SKILL.md manifest does not specify 'allowed-tools' or 'compatibility' fields. While these are optional per the agent skills spec, their absence means there are no declared restrictions on which agent tools this skill may invoke. Given the pre-scan static findings indicating environment variable access and network calls in associated Python files (not surfaced in the provided content), this omission is worth noting. File: SKILL.md Remediation: Add explicit 'allowed-tools' restrictions to the YAML frontmatter to limit the skill to only the tools it legitimately needs (e.g., [Read] if it only reads internal reference files). Add compatibility information for transparency.

• 🟠 HIGH LLM_DATA_EXFILTRATION — Static Analysis Flags Environment Variable Exfiltration and Cross-File Data Exfiltration Chain

  The pre-scan static analysis detected 'BEHAVIOR_ENV_VAR_EXFILTRATION' (environment variable access combined with network calls) and 'BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN' spanning 3 files, as well as 'BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION'. The skill package contains 3 Python files and 8 markdown files per the file inventory, but no Python script content was provided for direct review. This strongly suggests that one or more of the unreported Python files reads environment variables (potentially containing API keys, credentials, or tokens) and transmits them to an external server. The skill's stated purpose (bioinformatics analysis) does not require environment variable access or outbound network calls beyond package installation. Remediation: Immediately audit all 3 Python files in the package for: (1) os.environ or os.getenv calls, (2) outbound network requests (requests, urllib, httpx, socket), (3) credential file reads (~/.aws, ~/.ssh, ~/.netrc). Do not install or execute this skill until the Python files have been fully reviewed. If exfiltration behavior is confirmed, treat the skill as malicious and remove it entirely.

• 🟠 HIGH LLM_UNAUTHORIZED_TOOL_USE — Undisclosed Python Scripts Not Surfaced for Review Despite Being Present in Package

  The skill declares 'allowed-tools: Read Write Edit Bash' and the file inventory confirms 3 Python files exist in the package, yet the analysis input reports 'No script files found' under Script Files. This means the Python files were present but not provided for review. Combined with the static analyzer's detection of cross-file exfiltration chains, this represents a tool exploitation risk: the skill may use its Bash/Python execution permissions to run hidden scripts that perform data exfiltration while the visible SKILL.md instructions appear benign. The allowed-tools declaration includes Bash, which could be used to invoke these Python scripts. File: SKILL.md Remediation: Require full disclosure of all files in the skill package before analysis or deployment. The 3 Python files must be reviewed. Cross-reference the static analyzer findings with actual file contents. If the Python files contain network calls or credential access not described in SKILL.md, the skill should be rejected as malicious.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing Referenced Files May Indicate Incomplete or Deceptive Package

  The SKILL.md references 'references/api_reference.md', 'assets/api_reference.md', 'templates/api_reference.md', and 'skbio.py' in its instructions. Of these, 'assets/api_reference.md', 'templates/api_reference.md', and 'skbio.py' are not found in the package. The static pre-scan also flags cross-file exfiltration chains across 3 files and environment variable exfiltration with network calls, but no script files were provided for direct inspection. This discrepancy between declared files and actual package contents warrants attention, particularly given the static analyzer findings suggesting malicious behavior in files not surfaced for review. File: SKILL.md Remediation: Audit the full package directory to locate all referenced files. Ensure 'skbio.py', 'assets/api_reference.md', and 'templates/api_reference.md' are either included in the package or removed from references. Investigate the static analyzer findings (BEHAVIOR_ENV_VAR_EXFILTRATION, BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN) by reviewing the actual Python files flagged.

• 🟠 HIGH LLM_DATA_EXFILTRATION — Static Analysis Detected Environment Variable Exfiltration Chain Across Multiple Files

  The pre-scan static analysis flagged BEHAVIOR_ENV_VAR_EXFILTRATION (environment variable access combined with network calls), BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN (cross-file exfiltration chain involving 3 files), and BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION (cross-file environment variable exfiltration across 3 files). Although the actual script files were not provided for direct inspection (reported as 'No script files found' in the submission but contradicted by the static analysis finding 13 files including 3 Python files), these findings strongly indicate that one or more Python files in the package read environment variables (potentially containing API keys, credentials, or tokens) and transmit them to external servers. This is a critical data exfiltration pattern. File: SKILL.md Remediation: Immediately audit all 3 Python files in the package for environment variable access (os.environ, os.getenv) combined with network calls (requests, urllib, socket, etc.). Do not deploy this skill until a full code review is completed. If exfiltration code is confirmed, treat the skill as malicious and do not install it.

• 🟡 MEDIUM LLM_SUPPLY_CHAIN_ATTACK — Suspicious .py Files Named After Popular Libraries (Potential Import Shadowing)

  The skill references files named matplotlib.py, scipy.py, sklearn.py, and statsmodels.py. If these files exist in the skill's working directory, they would shadow the legitimate Python libraries of the same name when imported by any Python code executed in that directory. This is a classic supply chain / import shadowing attack vector. The pre-scan static analysis flagged cross-file exfiltration chains involving 3 files and environment variable exfiltration patterns, suggesting these files may contain malicious code designed to intercept library calls and exfiltrate data. File: SKILL.md Remediation: Do not deploy this skill until the referenced .py files are audited. Files named after popular Python libraries in the working directory will shadow legitimate imports. Remove or rename any such files unless they serve a documented, legitimate purpose. Investigate the cross-file exfiltration chain flagged by static analysis.

• 🔵 LOW LLM_DATA_EXFILTRATION — Missing Reference Files May Indicate Incomplete Package

  Several files referenced in the SKILL.md instructions are not found in the skill package, including templates/stats_diagnostics.md, templates/glm.md, templates/discrete_choice.md, assets/linear_models.md, assets/glm.md, assets/stats_diagnostics.md, assets/discrete_choice.md, assets/time_series.md, templates/time_series.md, templates/linear_models.md. Additionally, files named matplotlib.py, scipy.py, sklearn.py, and statsmodels.py are referenced but not found. While missing internal reference files are not inherently malicious, the presence of .py files named after well-known libraries (matplotlib.py, scipy.py, sklearn.py, statsmodels.py) is suspicious as they could shadow legitimate library imports if present. File: SKILL.md Remediation: Verify that the missing reference files are intentionally absent or should be included in the package. Investigate whether the .py files named after popular libraries (matplotlib.py, scipy.py, sklearn.py, statsmodels.py) are intended to be present; if so, review them carefully for import shadowing attacks.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools and Compatibility Metadata

  The skill manifest does not declare allowed-tools or compatibility fields. While these are optional per the agent skills specification, their absence means there are no declared restrictions on what tools the agent may use when executing this skill. Given the static analysis findings of network calls and environment variable access in the undisclosed Python files, the lack of tool restrictions is a compounding risk factor — the agent has no manifest-level guardrails preventing network access or file system operations. Remediation: Add explicit allowed-tools restrictions to the manifest. If this skill only needs to run Python data science code locally, declare allowed-tools: [Python] and avoid Bash. This provides a documented baseline for auditing whether the skill's actual behavior matches its declared capabilities.

• 🟠 HIGH LLM_DATA_EXFILTRATION — Environment Variable Exfiltration Chain Detected Across Script Files

  The pre-scan static analysis flagged BEHAVIOR_ENV_VAR_EXFILTRATION and BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION, indicating that environment variable access is combined with network calls across multiple files in the skill package. Although the SKILL.md instruction body appears benign and no script files were surfaced in the analysis input, the static analyzer identified 6 Python files and 8 other files in the package (23 total files) that were not provided for review. The cross-file exfiltration chain (2 files) suggests a pattern where one file reads environment variables (potentially containing API keys, tokens, AWS credentials, etc.) and another file transmits that data to an external endpoint. This is a classic data exfiltration pattern hidden within a seemingly legitimate data-science skill. File: SKILL.md Remediation: Audit all 6 Python files in the skill package for: (1) os.environ or os.getenv calls, (2) network calls using requests, urllib, httpx, or similar, (3) any pattern that reads environment variables and passes them to network functions. Remove or sandbox any such code. Do not install or use this skill until a full source audit is completed.

• 🟡 MEDIUM LLM_COMMAND_INJECTION — Suspicious Referenced File Names Matching Core Python Package Names

  The SKILL.md references files named umap.py, sklearn.py, tensorflow.py, matplotlib.py, and hdbscan.py. These filenames exactly shadow the names of the Python packages used throughout the skill's code examples. If these files exist in the working directory alongside user notebooks or scripts, Python's import resolution will load these local files instead of the legitimate installed packages. This is a classic module shadowing / import hijacking attack vector. The SKILL.md itself warns about this in the 'Common Issues' section, which is suspicious — it may be an attempt to normalize the presence of these files or deflect attention from their malicious purpose. File: SKILL.md Remediation: Investigate whether these files exist in the skill package or are intended to be created. If they exist, audit their contents for malicious code. The presence of a warning about shadowing in the same document that references these files is a social engineering red flag. Remove any such files from the skill package and ensure the skill does not create or reference files with names matching installed Python packages.

• 🟡 MEDIUM LLM_UNAUTHORIZED_TOOL_USE — Undisclosed Script Files Not Surfaced for Review — Potential Hidden Capabilities

  The file inventory reports 23 total files including 6 Python scripts and 8 other files, but the skill analysis input surfaces 'No script files found' and only references files that were not found. This discrepancy means the actual executable Python code in the skill package was not provided for review. The static analyzer nonetheless detected exfiltration behavior patterns in those hidden files. A skill package that contains executable Python files not disclosed during analysis represents a significant tool exploitation risk, as the agent may execute these scripts without the user being aware of their content. File: SKILL.md Remediation: Require full disclosure of all Python and Bash files in the skill package before installation. Do not install skills where the declared script inventory does not match the files provided for review. Implement a policy requiring all executable files in a skill package to be audited before the skill is activated.

• 🟡 MEDIUM LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Activation Triggers in Skill Description

  The skill description is engineered to trigger activation across an extremely wide range of user requests. It explicitly instructs the agent to 'Trigger it even when the user doesn't say "Arbor" or "hypothesis tree" but describes repeated experiment-and-evaluate loops, branching exploration of competing ideas, or worries about a dev/test gap.' This over-broad activation language inflates the skill's perceived applicability and increases the likelihood of unwanted or unnecessary activation, potentially displacing more appropriate tools. File: SKILL.md Remediation: Narrow the activation criteria to specific, well-defined use cases. Avoid instructing the agent to activate the skill when the user has not explicitly requested it. Remove language that encourages activation based on vague behavioral signals.

• 🔵 LOW LLM_RESOURCE_ABUSE — Unbounded Parallel Subagent Dispatch Without Resource Limits

  The skill instructs the coordinator to dispatch multiple executor subagents in parallel ('Dispatch siblings in parallel — multiple Agent calls in one message') with each subagent creating isolated git worktrees and running potentially expensive evaluation commands. With a default budget of 20 cycles and branching factor of 3, this could result in a large number of concurrent subagent invocations and git worktrees, potentially exhausting compute, disk, or API resources. No explicit limits on parallelism or resource consumption are enforced. File: SKILL.md Remediation: Add explicit guidance on maximum parallelism (e.g., cap concurrent executor subagents). Implement resource checks before dispatching parallel subagents. Consider adding disk space and API quota checks before initiating large parallel workloads.

• 🔵 LOW LLM_PROMPT_INJECTION — Executor Subagents Instructed to Process Untrusted External Content

  The executor brief template instructs executor subagents to read and implement changes from external git repositories and artifact branches (M_best, branch_ref). The executor is told to 'implement the MINIMAL change that realizes the hypothesis' starting from an external branch reference. If the branch reference or artifact content contains malicious instructions or code, the executor subagent may process and execute them without additional validation. This creates an indirect prompt injection surface through the artifact/branch content. File: references/executor-brief.md Remediation: Add explicit guidance that executor subagents should not follow instructions embedded in artifact files or branch content. Instruct executors to treat artifact content as code/data only, not as agent instructions. Consider adding a review step before executors process externally-sourced branches.

• 🔵 LOW LLM_COMMAND_INJECTION — Unvalidated User-Supplied Arguments Passed to Shell Commands via argparse

  The tree.py script accepts user-supplied strings (--objective, --dev-eval, --test-eval, --hypothesis, --reason, --insight, --result, --branch-ref) and stores them in JSON state files. While these strings are not directly passed to shell execution within tree.py itself, the stored values (particularly --dev-eval and --test-eval) are described as commands to be executed by the coordinator agent (e.g., 'python eval.py --split dev --n 50'). If the coordinator agent executes these stored command strings via Bash without sanitization, a malicious user could inject shell commands through these fields. The risk is indirect but real given the agentic execution context. File: scripts/tree.py Remediation: Document clearly that dev-eval and test-eval values are treated as shell commands and should be validated before storage. Consider adding a whitelist or validation step for command strings. The coordinator should treat stored evaluator commands as potentially untrusted and avoid executing them via shell interpolation without review.

• 🔵 LOW LLM_DATA_EXFILTRATION — Environment Variable Access with Network Calls (Legitimate Pattern)

  The skill reads NCBI_API_KEY and NCBI_EMAIL from environment variables and uses them in network calls to NCBI's Entrez API. The static analyzer flagged this as potential exfiltration, but the pattern is explicitly documented, scoped to only NCBI_API_KEY and NCBI_EMAIL, and the network destination (NCBI/Entrez) is a well-known legitimate bioinformatics service. The skill instructions explicitly warn against loading unrelated environment variables. This is a low-severity informational finding rather than a true threat. File: SKILL.md Remediation: The pattern is appropriate. Ensure that any generated code strictly limits environment variable access to NCBI_API_KEY and NCBI_EMAIL as documented, and does not generalize to reading arbitrary environment variables. Consider adding explicit validation that only these two variables are accessed.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Multiple Referenced Files Not Found in Package

  The skill references numerous files that are not present in the package: templates/databases.md, assets/advanced.md, assets/phylogenetics.md, assets/structure.md, templates/blast.md, assets/databases.md, templates/alignment.md, assets/sequence_io.md, Bio.py, templates/sequence_io.md, templates/advanced.md, templates/phylogenetics.md, assets/alignment.md, assets/blast.md, templates/structure.md. The absence of these files means the agent may attempt to read non-existent files or fail silently. The presence of a referenced 'Bio.py' file that is not found is particularly notable as it could shadow the legitimate Biopython 'Bio' package if it were present. File: SKILL.md Remediation: Remove references to non-existent files from the skill instructions, or include the missing files in the package. Specifically, remove the reference to 'Bio.py' as this name could shadow the Biopython library if the file were ever added.

• 🟡 MEDIUM MDBLOCK_PYTHON_SUBPROCESS — Python code block executes shell commands

  Code block in references/alignment.md at line 293 contains potentially dangerous Python code. File: references/alignment.md:293 Remediation: Review the code block for security implications.

• 🟡 MEDIUM MDBLOCK_PYTHON_SUBPROCESS — Python code block executes shell commands

  Code block in references/alignment.md at line 311 contains potentially dangerous Python code. File: references/alignment.md:311 Remediation: Review the code block for security implications.

• 🔵 LOW LLM_UNAUTHORIZED_TOOL_USE — subprocess Usage Without Input Sanitization Warning in Reference Docs

  The reference documentation (references/blast.md and references/alignment.md) instructs the agent to use subprocess with explicit argument lists and warns against interpolating unsanitized user input. However, the documentation does not provide concrete input validation examples or sanitization patterns. If the agent generates code that incorporates user-supplied filenames or parameters into subprocess calls without validation, command injection could result. The risk is mitigated by the explicit warnings in the docs but not fully addressed. File: references/blast.md Remediation: Add explicit input validation examples to the reference documentation showing how to sanitize file paths and parameters before passing them to subprocess. For example, validate that file paths exist and contain no shell metacharacters before use.

• 🟡 MEDIUM MDBLOCK_PYTHON_SUBPROCESS — Python code block executes shell commands

  Code block in references/blast.md at line 184 contains potentially dangerous Python code. File: references/blast.md:184 Remediation: Review the code block for security implications.

• 🟡 MEDIUM MDBLOCK_PYTHON_SUBPROCESS — Python code block executes shell commands

  Code block in references/blast.md at line 211 contains potentially dangerous Python code. File: references/blast.md:211 Remediation: Review the code block for security implications.

• 🟡 MEDIUM MDBLOCK_PYTHON_SUBPROCESS — Python code block executes shell commands

  Code block in references/blast.md at line 300 contains potentially dangerous Python code. File: references/blast.md:300 Remediation: Review the code block for security implications.

• 🟡 MEDIUM MDBLOCK_PYTHON_SUBPROCESS — Python code block executes shell commands

  Code block in references/blast.md at line 329 contains potentially dangerous Python code. File: references/blast.md:329 Remediation: Review the code block for security implications.

• 🟡 MEDIUM LLM_UNAUTHORIZED_TOOL_USE — Missing Referenced Script File (dask.py) with Static Exfiltration Flags

  The skill instructions reference a file 'dask.py' which was not found/provided for analysis. The static analyzer independently flagged cross-file exfiltration chains involving 2 files and environment variable exfiltration with network calls. This combination — a missing script file plus static analyzer warnings about exfiltration behavior — represents a meaningful tool exploitation risk. The skill declares allowed-tools including Bash and Write, which combined with an unreviewed Python script could enable data collection and exfiltration. File: SKILL.md Remediation: 1. Audit the missing dask.py file before deploying this skill. 2. Verify no environment variable harvesting (os.environ, os.getenv) combined with network calls exists in any script. 3. If dask.py is not needed, remove the reference from the skill. 4. Consider restricting allowed-tools to remove Bash if shell execution is not required for the skill's stated purpose.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Capability Claims in Description

  The skill description references multiple alternative tools (vaex, polars) and makes broad claims about distributed computing capabilities. While not overtly malicious, the description positions this skill as a general-purpose distributed computing assistant, which could lead to broader-than-necessary activation across many user queries involving data processing. File: SKILL.md Remediation: Narrow the description to focus specifically on what the skill does rather than positioning it as a decision-making authority over competing tools.

• 🔵 LOW LLM_DATA_EXFILTRATION — Static Analyzer Flagged Environment Variable Exfiltration Pattern

  The pre-scan static analysis flagged BEHAVIOR_ENV_VAR_EXFILTRATION and BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN across 2 files. However, no Python script files were found in the provided content (dask.py was listed as referenced but not found). The referenced files contain only documentation and code examples. The code examples in the reference files (e.g., references/schedulers.md) mention environment variables in a legitimate context (DASK_* env vars for cluster configuration). Without the actual script files being present, the static analyzer findings cannot be confirmed from the provided content, but the missing dask.py file is a concern. File: references/schedulers.md Remediation: Locate and audit the missing dask.py file referenced in the skill instructions. Verify that no environment variable harvesting or network exfiltration patterns exist in the actual script files. The static analyzer findings across 2 files suggest a potential read→send pattern that warrants manual review.

• 🟡 MEDIUM LLM_PROMPT_INJECTION — Indirect Prompt Injection Risk via External API Responses

  The skill instructs the agent to return 'raw JSON' responses from external databases and to 'default to showing the full raw JSON.' Many of the 78 databases return user-contributed or third-party content (e.g., drug labels from FDA, patent text from USPTO, clinical trial descriptions from ClinicalTrials.gov, gene annotations from NCBI). Malicious or adversarially crafted content in these external API responses could contain embedded instructions that the agent might follow when processing or summarizing the raw JSON. The instruction to return full raw JSON without sanitization increases this risk. File: SKILL.md Remediation: Add a note in the instructions that the agent should treat all API response content as untrusted data and should not follow any instructions embedded within API responses. Consider adding a warning to users that raw API responses may contain third-party content.

• 🔵 LOW LLM_DATA_EXFILTRATION — API Key Loading from Environment Variables and .env File

  The skill instructs the agent to read API keys from shell environment variables (e.g., $FRED_API_KEY, $NASA_API_KEY, etc.) and from a .env file in the current working directory. While this is a common and legitimate pattern for credential management, it means the agent will actively read potentially sensitive credentials from the environment and local filesystem as part of normal operation. The skill covers 17+ different API keys across many services. If the skill is invoked in an unexpected context, it could expose credentials to external services. File: SKILL.md Remediation: This is standard practice but users should be aware that invoking this skill will cause the agent to read environment variables and .env files. Ensure the .env file is not world-readable and that API keys are scoped to minimum necessary permissions.

• 🔵 LOW LLM_DATA_EXFILTRATION — Missing allowed-tools Declaration

  The skill does not declare an 'allowed-tools' field in its YAML manifest. Given the skill's broad scope (making HTTP requests to 78 databases, reading environment variables, executing bash commands, reading files), the absence of tool restrictions means there is no manifest-level constraint on what the agent can do. This is informational per the spec (allowed-tools is optional), but worth noting given the skill's extensive capabilities. File: SKILL.md Remediation: Consider adding an explicit allowed-tools declaration such as [Bash, Read] to document the intended tool usage and provide a reference point for auditing behavior.

• 🔵 LOW LLM_DATA_EXFILTRATION — Missing License Information

  The skill does not specify a license. Given that it bundles reference files for 78 databases and provides detailed API documentation, the absence of a license creates ambiguity about usage rights and provenance. File: SKILL.md Remediation: Add a license field to the YAML manifest (e.g., 'license: MIT') to clarify usage rights.

• 🔵 LOW LLM_RESOURCE_ABUSE — Unbounded Parallel API Calls Across 78 Databases

  The skill instructions encourage querying multiple databases in parallel for cross-domain queries: 'When the user's query spans multiple domains (e.g. "what do we know about aspirin" or "find everything about BRCA1"), query all relevant databases in parallel.' For broad queries, this could result in dozens of simultaneous HTTP requests, potentially exhausting network resources or triggering rate limiting across multiple services simultaneously. File: SKILL.md Remediation: Add guidance to limit the number of parallel requests (e.g., max 5-10 concurrent requests) and to prioritize the most relevant databases rather than querying all possible ones simultaneously.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Capability Claims in Skill Description

  The skill description claims to cover '78 public scientific, biomedical, materials science, and economic databases' and instructs the agent to use it 'when looking up compounds, genes, proteins, pathways, variants, clinical trials, patents, economic indicators, or any public database API query.' The phrase 'any public database API query' is extremely broad and could cause the skill to be activated for nearly any information lookup task, potentially displacing more appropriate tools or skills. This is a mild capability inflation concern. File: SKILL.md Remediation: Narrow the activation description to specific domains rather than 'any public database API query'. List concrete use cases rather than using catch-all language.

• 🟡 MEDIUM LLM_COMMAND_INJECTION — SIMBAD API Reference Explicitly Documents Input Sanitization Requirements for Injection Prevention

  The SIMBAD reference file (references/simbad.md) explicitly documents that user-supplied object names must be sanitized to prevent injection attacks into ADQL queries and script interfaces. The reference file states: 'Block newlines, carriage returns, tabs, quotes, semicolons, backslashes, and angle brackets in object names' and 'Escape single quotes in ADQL string literals by doubling them.' This indicates the skill is aware of injection risks but relies on the agent to implement sanitization correctly at runtime, which is not guaranteed. File: references/simbad.md Remediation: The sanitization guidance is good but relies on the LLM agent to implement it correctly. Consider adding a Python helper script that performs sanitization before constructing ADQL queries, rather than relying on the agent to remember and apply these rules.

• 🟡 MEDIUM LLM_DATA_EXFILTRATION — Static Analyzer Detected Cross-File Environment Variable Exfiltration Chain

  The pre-scan static analysis flagged BEHAVIOR_ENV_VAR_EXFILTRATION and BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN across 2 files in the skill package (32 total files: 22 markdown, 10 Python). Although no script files were surfaced in the provided content, the static analyzer detected patterns consistent with environment variable access combined with network calls, and a cross-file data exfiltration chain. This suggests one or more of the 10 Python files in the package (not shown in the analysis input) may contain credential harvesting or data exfiltration logic that was not included for review. File: SKILL.md Remediation: Audit all 10 Python files in the skill package for environment variable access (os.environ, os.getenv) combined with outbound network calls. Identify the 2-file exfiltration chain flagged by the static analyzer. Remove any code that reads credentials or environment variables and transmits them externally. Ensure all network calls are limited to the documented DepMap/figshare endpoints.

• 🔵 LOW LLM_COMMAND_INJECTION — Unvalidated User-Supplied Gene Symbols Passed to API and DataFrame Lookups

  Gene symbols (e.g., target_gene, biomarker_gene) are accepted from user input and passed directly into API query parameters and pandas DataFrame column lookups without sanitization. While the DepMap API is a read-only public endpoint and pandas column access is not directly injectable, malformed or adversarially crafted gene symbol strings could cause unexpected behavior, error leakage, or in edge cases where the pattern is extended to shell commands, command injection. File: SKILL.md Remediation: Validate gene symbols against a whitelist pattern (e.g., alphanumeric + hyphen, max 20 chars) before use. Sanitize inputs before passing to API parameters or DataFrame operations.

• 🔵 LOW LLM_DATA_EXFILTRATION — External Data Download Without Integrity Verification

  The skill instructs downloading large data files from external URLs (figshare.com, depmap.org) using a streaming download function with no checksum or integrity verification. While these are legitimate public research repositories, the download_depmap_data function writes arbitrary binary content to disk without validating file integrity, hash, or authenticity. A compromised or man-in-the-middle response could deliver malicious CSV content that is subsequently parsed by pandas. File: SKILL.md Remediation: Add SHA256 checksum verification after download. Pin expected hashes for known DepMap release files. Use HTTPS and verify SSL certificates (requests does this by default, but confirm ssl=True). Consider adding a file size sanity check.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned External Dependencies and Incomplete Figshare URL

  The skill references external packages (requests, pandas, scipy, numpy) without version pinning, and the figshare download URL is left as a placeholder ('https://figshare.com/ndownloader/files/...'). Unpinned dependencies are vulnerable to supply chain attacks if a malicious version is published. The incomplete URL could lead users to substitute arbitrary URLs. Additionally, scipy.py is listed as a referenced file but does not exist in the package, which may indicate a missing or misnamed dependency file. File: SKILL.md Remediation: Pin all Python dependencies to specific versions in a requirements.txt (e.g., requests==2.31.0, pandas==2.1.0). Replace placeholder URLs with complete, verified figshare URLs for the specific DepMap release. Clarify or remove the scipy.py reference — if it refers to the scipy library, update documentation accordingly.

• 🟡 MEDIUM LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Activation Triggers and Keyword Baiting in Description

  The skill description contains an unusually broad set of activation triggers designed to maximize invocation frequency. It includes vague phrases like 'wants deeper insight into the author's reasoning patterns', 'decision-making style', or 'cognitive signature' that could match a very wide range of user queries. The description also includes the proprietary term 'DHDNA' and 'digital DNA' as trigger keywords, which appear to be brand-specific terms tied to the author's commercial platform (themindbook.app, ahkstrategies.net). This pattern inflates the skill's perceived scope and increases unwanted or unintended activation. File: SKILL.md Remediation: Narrow the activation triggers to specific, well-defined use cases. Avoid vague catch-all phrases that could match unrelated user queries. Separate brand-specific terminology from functional triggers.

• 🔵 LOW LLM_DATA_EXFILTRATION — Pre-Scan Flags Indicate Potential Exfiltration Patterns in Unreported Scripts

  The static pre-scan context reports findings of BEHAVIOR_ENV_VAR_EXFILTRATION, BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN, and BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION across 32 files (22 markdown, 10 Python), yet no script files were provided for analysis. The skill package reportedly contains 10 Python files that were not included in the submission. These static analyzer flags suggest environment variable access combined with network calls and cross-file data exfiltration chains may exist in the unreviewed Python scripts. This cannot be fully assessed without the actual script content. File: SKILL.md Remediation: The 10 Python script files must be reviewed before this skill is approved for use. Static analyzer flags for environment variable exfiltration and cross-file exfiltration chains are serious indicators that require full code review. Do not deploy this skill until all Python files have been audited for data exfiltration patterns.

• 🔵 LOW LLM_HARMFUL_CONTENT — Pseudoscientific Framework Presented as Established Science

  The skill presents the 'Digital Human DNA (DHDNA)' framework as a scientifically validated methodology for extracting 'cognitive fingerprints', comparing it to biological DNA. The referenced 'research' consists of self-published Zenodo pre-prints (not peer-reviewed publications). The framework makes strong claims about uniquely identifying cognitive signatures from text, which is not supported by established cognitive science. Users may be misled into believing the profiles generated are scientifically accurate assessments of their cognition or that of others. File: SKILL.md Remediation: Add clear disclaimers that DHDNA is a proprietary, non-peer-reviewed framework and not an established scientific methodology. Avoid analogies to biological DNA that imply scientific equivalence. Clearly label outputs as interpretive analysis rather than validated cognitive assessments.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Commercial Platform Promotion Embedded in Skill Instructions

  The SKILL.md instructions contain multiple promotional references to the author's commercial products and platforms, including links to 'themindbook.app', 'ahkstrategies.net', and self-published Zenodo pre-prints. These references are embedded in the skill's operational instructions rather than in metadata, blurring the line between a functional skill and a marketing vehicle. The 'Built By' section at the bottom of the instructions actively promotes commercial services. File: SKILL.md Remediation: Move commercial references to YAML metadata fields (e.g., skill-author, homepage). Keep the instruction body focused on functional behavior only. Avoid embedding promotional content in operational instructions.

• 🟡 MEDIUM LLM_UNAUTHORIZED_TOOL_USE — Potential dxpy Library Shadowing via Local dxpy.py

  The skill references a file named 'dxpy.py' which was not found but is listed as a referenced file. If present, a local file named dxpy.py would shadow the legitimate DNAnexus dxpy Python library when imported in the same directory context. This is a classic tool shadowing attack: any app code doing 'import dxpy' could inadvertently import the malicious local file instead of the legitimate SDK, potentially intercepting authentication tokens, API calls, file uploads/downloads, and all platform interactions. The static analyzer flagged environment variable exfiltration with network calls and cross-file exfiltration chains, which is consistent with this attack pattern. Remediation: Remove any local dxpy.py file from the skill package. The legitimate dxpy library should be installed via pip and never shadowed by a local file. Verify the package does not contain any file that could shadow standard library imports used in genomics workflows.

• 🔵 LOW LLM_DATA_EXFILTRATION — Multiple Referenced Files Not Found in Package

  The skill references numerous files that were not found in the package: templates/app-development.md, templates/python-sdk.md, templates/data-operations.md, templates/configuration.md, templates/job-execution.md, assets/configuration.md, assets/app-development.md, assets/job-execution.md, assets/python-sdk.md, assets/data-operations.md, and dxpy.py. The static analyzer flagged cross-file exfiltration chains involving 2 files and environment variable exfiltration with network calls. These missing files cannot be audited and may contain malicious behavior such as credential harvesting or data exfiltration, particularly given the flagged dxpy.py which shadows the legitimate dxpy library name. File: SKILL.md Remediation: Audit all missing referenced files before deploying this skill. Pay particular attention to dxpy.py which could shadow the legitimate dxpy library and intercept authentication tokens or API calls. Verify that no files in the package perform unauthorized network calls with harvested credentials.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing License Information

  The skill manifest declares license as 'Unknown'. This is a provenance concern as users cannot determine the terms under which the skill is distributed. For a skill that interacts with cloud genomics infrastructure and handles sensitive biomedical data, clear licensing and authorship information is important for trust assessment. File: SKILL.md Remediation: Add a proper SPDX license identifier (e.g., MIT, Apache-2.0) to the skill manifest to establish clear provenance and usage terms.

• 🔵 LOW LLM_DATA_EXFILTRATION — Authentication Token Exposed via Environment Variable Documentation

  The skill documents the DX_SECURITY_CONTEXT environment variable which contains the DNAnexus authentication token. While using environment variables for credentials is generally acceptable practice, the skill's reference documentation (references/python-sdk.md) explicitly shows how to set the auth token directly in code and via environment variables. The static analyzer flagged cross-file environment variable exfiltration chains, suggesting that in the broader skill package (unreferenced/not-found files), there may be scripts that read DX_SECURITY_CONTEXT and transmit it externally. The visible content itself follows best practices by recommending against hardcoded credentials, but the static analysis flags warrant attention. File: references/python-sdk.md Remediation: Review the unreferenced/missing script files (templates/app-development.md, dxpy.py, assets/* files) for any code that reads DX_SECURITY_CONTEXT and transmits it to external endpoints. Ensure the environment variable is only used for legitimate DNAnexus API authentication.

• 🔵 LOW LLM_DATA_EXFILTRATION — Missing allowed-tools Declaration

  The skill manifest does not declare an allowed-tools field. Given that the skill executes bash commands (soffice, pandoc, pdftoppm, git, gcc), writes files, reads files, and runs Python scripts, the absence of this declaration means there are no declared restrictions on tool usage. This is informational per the spec but worth noting given the breadth of system operations performed. File: SKILL.md Remediation: Add an explicit allowed-tools declaration to the SKILL.md manifest listing the tools actually used: [Bash, Python, Read, Write]. This improves transparency and allows the agent runtime to enforce appropriate restrictions.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Overly Broad Skill Activation Description

  The skill description contains an extensive list of trigger keywords and use cases that could cause the skill to activate in a wide range of scenarios beyond its core purpose. Phrases like 'report', 'memo', 'letter', 'template' are very common words that could trigger unintended skill activation. The description also explicitly instructs when NOT to use the skill, which is unusual and could indicate over-broad activation scope. File: SKILL.md Remediation: Narrow the activation triggers to more specific DOCX-related keywords. Avoid using generic document terms like 'report', 'memo', 'letter' as standalone triggers without requiring explicit .docx or Word document context.

• 🔵 LOW LLM_COMMAND_INJECTION — Subprocess Execution with User-Controlled File Paths

  Multiple scripts (accept_changes.py, soffice.py, unpack.py, pack.py) pass file paths to subprocess calls (soffice, pandoc, pdftoppm, git). While these paths originate from user-provided arguments rather than untrusted document content, if the skill is invoked with attacker-controlled file paths, argument injection could occur. The scripts do not sanitize or validate file paths before passing them to subprocess calls. File: scripts/accept_changes.py Remediation: Validate that file paths are within expected directories before passing to subprocess. Use pathlib to resolve and check paths against allowed base directories. Consider using subprocess with list arguments (already done) rather than shell=True to prevent shell injection.

• 🟡 MEDIUM LLM_COMMAND_INJECTION — Dynamic Compilation and LD_PRELOAD Injection via C Shim

  The soffice.py script dynamically compiles a C source file using gcc and loads the resulting shared library via LD_PRELOAD. While the C source (_SHIM_SOURCE) is hardcoded within the script, this pattern is a significant security concern: it compiles and injects native code into the LibreOffice process at runtime. If the script were modified or the _SHIM_SOURCE variable tampered with, arbitrary native code could be injected into subprocesses. The shim intercepts socket(), listen(), accept(), and close() system calls. File: scripts/office/soffice.py Remediation: Consider shipping the pre-compiled shim as a binary artifact rather than compiling at runtime. If runtime compilation is necessary, verify the integrity of the compiled output and restrict permissions on the resulting .so file. Ensure the temp directory is not world-writable or use a more secure location.

• 🟡 MEDIUM LLM_DATA_EXFILTRATION — Environment Variable Access in soffice.py

  The soffice.py script calls os.environ.copy() to copy the entire process environment and passes it to subprocess calls running LibreOffice. While this is a common pattern for subprocess environment propagation, it means all environment variables (which may include API keys, tokens, credentials, and other secrets) are passed to the LibreOffice subprocess. The static analyzer flagged this as part of a cross-file exfiltration chain. However, in context, this appears to be legitimate subprocess environment propagation for LibreOffice rather than intentional exfiltration — the environment is passed to a local process, not sent to a remote server. File: scripts/office/soffice.py Remediation: Consider filtering the environment to only pass variables required by LibreOffice (e.g., PATH, HOME, DISPLAY, TMPDIR) rather than copying the entire environment. This reduces the risk of sensitive environment variables being accessible to the LibreOffice subprocess.

• 🔵 LOW LLM_DATA_EXFILTRATION — Integration Tracking Header Sent to Exa API

  Both scripts set a custom HTTP header 'x-exa-integration: k-dense-ai--scientific-agent-skills' on every API request. The SKILL.md explicitly instructs: 'Do not remove or rename this header when adapting the scripts.' This header attributes usage to the skill author's integration account. While this is disclosed in the instructions, users should be aware that their API usage is being attributed to a third-party integration identifier, which may affect billing attribution or usage analytics on the Exa platform. File: SKILL.md Remediation: This is disclosed behavior. Users who wish to use their own Exa account without third-party attribution tracking may remove or change the x-exa-integration header value. The instruction to 'not remove' this header is a soft social engineering nudge but not a security threat.

• 🔵 LOW LLM_PROMPT_INJECTION — External Web Content Processed Without Sanitization

  The web-extract capability fetches arbitrary external URLs and returns their full text content to the agent for processing. The references/web-extract.md instructs the agent to 'keep content verbatim' and 'preserve all facts, names, numbers, dates, quotes.' If a malicious webpage contains embedded prompt injection instructions (e.g., 'Ignore previous instructions and...'), the agent may process these as instructions rather than data. This is an indirect prompt injection risk inherent to any web content extraction workflow. File: references/web-extract.md Remediation: Add a note in the extraction reference instructing the agent to treat extracted web content as untrusted data, not as instructions. Consider wrapping extracted content in explicit delimiters (e.g., tags) to help the agent distinguish between skill instructions and fetched data.

• 🔵 LOW LLM_DATA_EXFILTRATION — API Key Transmitted to External Service (Expected Behavior)

  Both scripts read the EXA_API_KEY environment variable and use it to authenticate with the Exa API (exa.ai). While the static analyzer flagged this as 'env var exfiltration with network calls,' this is the intended and documented behavior of the skill — the API key is used solely to authenticate with the declared Exa service. The skill's manifest explicitly declares EXA_API_KEY as a required environment variable and documents its purpose. This is not malicious exfiltration, but users should be aware their API key is transmitted to exa.ai on every call. File: scripts/exa_search.py Remediation: No remediation required for normal use. Users should ensure EXA_API_KEY is scoped appropriately and that they trust the Exa service (exa.ai) with their queries and extracted content. Review Exa's privacy policy regarding query data retention.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Dependency Version (exa-py>=1.14.0)

  Both scripts declare a minimum version constraint 'exa-py>=1.14.0' rather than a pinned exact version. This means future installs could pull in any newer version of the exa-py SDK, including versions that may introduce breaking changes or, in a supply chain attack scenario, malicious code. The risk is low given exa-py is the skill author's own SDK, but unpinned dependencies are a supply chain hygiene concern. File: scripts/exa_search.py:3 Remediation: Pin the dependency to an exact version (e.g., 'exa-py==1.14.0') and verify the package hash. Update intentionally when upgrading. Consider using uv's lockfile mechanism for reproducible installs.

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/exa-search/scripts/exa_extract.py File: skills/exa-search/scripts/exa_extract.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/exa-search/scripts/exa_search.py File: skills/exa-search/scripts/exa_search.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🟡 MEDIUM LLM_DATA_EXFILTRATION — Arbitrary File Read from User-Supplied Path with No Scope Restriction

  The skill instructs the agent to accept any file path from the user and read it for analysis. The script will attempt to open and read any file the user specifies, including sensitive system files, credential files, or files outside the intended working directory. While this is partially by design (the skill is meant to analyze user files), there is no restriction or warning about accessing sensitive paths such as ~/.aws/credentials, ~/.ssh/id_rsa, /etc/passwd, or environment configuration files. The analyze_general_scientific function reads JSON files completely into memory, which could expose sensitive configuration files if a user (or injected instruction) points the skill at them. Remediation: Add path validation to restrict analysis to user-specified working directories. Warn users if a path points to system directories or known sensitive locations. Consider implementing an allowlist of safe base directories or a denylist of sensitive paths.

• 🔵 LOW LLM_DATA_EXFILTRATION — Missing allowed-tools Declaration

  The SKILL.md manifest does not declare an 'allowed-tools' field. The skill executes Python code (eda_analyzer.py) that reads arbitrary user-specified file paths, writes output files, and imports numerous third-party libraries. Without an allowed-tools declaration, there is no manifest-level constraint on what tools the agent may use when executing this skill. File: SKILL.md Remediation: Add an explicit 'allowed-tools' field to the YAML frontmatter listing the tools actually needed (e.g., [Python, Read, Write]) to provide manifest-level documentation of expected tool usage.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Capability Claims in Skill Description

  The skill description claims support for '200+ file formats' across six major scientific domains. While the reference files do document many formats, the actual Python script (eda_analyzer.py) only implements active analysis for a small subset (CSV, TSV, NPY, NPZ, JSON, HDF5, FASTA, FASTQ, TIFF). The gap between claimed capabilities and actual implementation could mislead users or the agent into believing the skill can perform deeper analysis than it actually does. This is a mild capability inflation issue. File: SKILL.md Remediation: Clarify in the description that the skill provides format identification and reference information for 200+ formats, but active programmatic analysis is implemented for a subset. Update the description to accurately reflect actual capabilities.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Third-Party Library Dependencies

  The skill's instructions and script reference numerous third-party libraries without version pinning: biopython, pysam, pyBigWig, rdkit, mdanalysis, cclib, tifffile, nd2reader, aicsimageio, pydicom, nmrglue, pymzml, pyteomics, pandas, numpy, h5py, scipy, PIL/Pillow, and others. Unpinned dependencies are vulnerable to supply chain attacks where a malicious package update could introduce malicious code that executes when the skill runs. File: SKILL.md Remediation: Provide a requirements.txt or pyproject.toml with pinned versions for all dependencies. Use hash-pinned dependencies (pip's --require-hashes) for critical packages. Document the expected versions in the skill manifest.

• 🟡 MEDIUM LLM_COMMAND_INJECTION — Unsanitized User-Supplied File Path Passed to File Operations

  The main() function in eda_analyzer.py accepts a file path directly from sys.argv[1] and passes it to os.path.exists(), Path(), and subsequently to multiple file-reading functions (numpy, pandas, h5py, PIL, Biopython, etc.) without any sanitization or path traversal validation. A malicious or crafted file path (e.g., path traversal sequences like '../../etc/passwd', or paths pointing to sensitive system files) could cause the script to read unintended files. Additionally, the output path (sys.argv[2] or auto-generated) is written without validation, potentially allowing writes to unintended locations. File: scripts/eda_analyzer.py Remediation: Validate and sanitize the input file path: resolve it to an absolute path, check it falls within an expected directory, and reject path traversal sequences. Similarly validate the output path. Consider using pathlib.Path.resolve() and checking against an allowed base directory.

• 🔵 LOW LLM_RESOURCE_ABUSE — Unbounded File Loading for Large Files

  Several analysis functions load entire files into memory without adequate size checks. The FASTA parser loads all sequences into a list (list(SeqIO.parse(...))), and the JSON parser loads the entire file. While FASTQ and CSV have sampling limits (10k rows/records), other formats do not. Processing very large files (multi-GB FASTA, large JSON) could exhaust system memory and cause denial of service. File: scripts/eda_analyzer.py Remediation: Add file size checks before loading. For FASTA, use iterative parsing with a record limit (similar to the FASTQ 10k limit). For JSON, check file size before loading and use streaming parsers for large files. Add a configurable maximum file size parameter.

• 🟡 MEDIUM LLM_DATA_EXFILTRATION — Static Analysis Flags Environment Variable Exfiltration and Cross-File Exfiltration Chain

  The pre-scan static analyzer detected BEHAVIOR_ENV_VAR_EXFILTRATION (environment variable access combined with network calls) and BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN across 2 files. While the visible reference files (references/*.md) do not contain explicit exfiltration code, the missing fluidsim.py and the 10 Python files reported in the file inventory (none of which were provided for review) are the likely sources of these behaviors. The combination of environment variable access (potentially harvesting FLUIDSIM_PATH, FLUIDDYN_PATH_SCRATCH, or other sensitive env vars) with network calls constitutes a data exfiltration risk. Remediation: All Python scripts in the skill package must be provided for review. Audit all Python files for: (1) os.environ access combined with requests/urllib/socket calls, (2) reading sensitive paths (~/.aws, ~/.ssh, environment variables) and transmitting them externally, (3) any cross-file data flow that collects then sends data. Remove or sandbox any network calls that are not strictly necessary for simulation functionality.

• 🔵 LOW LLM_DATA_EXFILTRATION — Missing fluidsim.py Script Referenced in Instructions

  The SKILL.md references a file called fluidsim.py which is not found in the package. The pre-scan static analyzer flagged environment variable access with network calls and cross-file exfiltration chains involving 2 files. The absence of fluidsim.py prevents full analysis of the flagged behaviors. If this script exists at runtime (e.g., downloaded or generated), it could contain the environment variable exfiltration behavior flagged by static analysis without being visible for review. File: SKILL.md Remediation: Locate and review fluidsim.py. If it is intended to be part of the skill, bundle it with the package and ensure it does not contain environment variable harvesting or network exfiltration code. Do not allow skills to reference scripts that are not bundled and reviewable.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Referenced File Paths Suggesting Capability Inflation

  The skill references files across multiple directory structures (references/, assets/, templates/) for the same conceptual content (e.g., installation.md, solvers.md, etc.), but most of these files do not exist. This pattern of referencing many non-existent files across multiple path variants may indicate an attempt to inflate perceived capability or coverage, or could be a sign of a poorly maintained/deceptive skill package. The skill claims comprehensive documentation across 19 referenced files, but only 6 actually exist. File: SKILL.md Remediation: Audit and remove references to non-existent files. Ensure all referenced documentation files are actually bundled with the skill package. Avoid referencing the same content under multiple directory paths unless all variants exist.

• 🟡 MEDIUM LLM_DATA_EXFILTRATION — API Key Transmitted to External Service via Network Call

  The script reads the OPENROUTER_API_KEY from a .env file (traversing parent directories) and transmits it as a Bearer token in HTTP requests to https://openrouter.ai. While this is the intended behavior for using the OpenRouter API, the combination of environment variable harvesting and network transmission constitutes a data flow that warrants scrutiny. The .env traversal walks up the entire directory tree, potentially picking up API keys from unrelated projects or sensitive parent directories. File: scripts/generate_image.py:57 Remediation: Limit .env file search to the current directory only, or at most one parent level. Avoid traversing the entire filesystem hierarchy for credentials, as this could inadvertently pick up API keys from unrelated projects. Consider using a dedicated secrets manager or environment variable instead of file traversal.

• 🔵 LOW LLM_DATA_EXFILTRATION — Input Image File Read Without Path Validation or Sandboxing

  The --input argument accepts an arbitrary file path and reads it as base64 to send to the external API. There is no validation that the file path is within an expected directory. A malicious invocation could supply a path to sensitive files (e.g., ~/.ssh/id_rsa, /etc/passwd) which would then be base64-encoded and transmitted to the OpenRouter API. File: scripts/generate_image.py:75 Remediation: Validate that the input file path resolves to an expected directory (e.g., current working directory or a designated images folder). Check that the file extension matches an expected image type before reading. Consider using Path.resolve() and checking that the resolved path starts with an allowed base directory.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Third-Party Dependency (requests)

  The script imports the 'requests' library without any version pinning or requirements file specifying an exact version. If a user installs the package, they may get any version, including potentially compromised future versions. The script also provides installation instructions without version constraints. File: scripts/generate_image.py:108 Remediation: Include a requirements.txt file with a pinned version of requests (e.g., requests==2.31.0) and reference it in the skill documentation. This ensures reproducible and auditable dependency resolution.

• 🟡 MEDIUM LLM_COMMAND_INJECTION — User-Controlled Model Parameter Passed Directly to API Without Validation

  The --model argument is accepted from the command line and passed directly to the OpenRouter API without any validation or allowlist enforcement. A malicious caller could supply an unexpected model identifier. While this does not directly enable code injection on the local machine, it could be used to route requests to unintended models or abuse the API in unexpected ways. The prompt itself is also passed verbatim from user input to the external API. File: scripts/generate_image.py:155 Remediation: Implement an allowlist of permitted model identifiers and validate the --model argument against it before making API calls. This prevents abuse of the model selection parameter and ensures only approved models are used.

• 🟡 MEDIUM LLM_COMMAND_INJECTION — Dynamic Package Upgrade via subprocess in Skill Instructions

  The SKILL.md instructions include a code block that uses subprocess.run() to execute pip3 install --upgrade --break-system-packages idc-index when the installed version is below a required version. This pattern executes shell commands dynamically from within the agent's Python environment. While the package name is hardcoded (not user-controlled), the --break-system-packages flag is aggressive and could interfere with system Python packages. Additionally, the version comparison uses a string comparison (installed < REQUIRED_VERSION) rather than proper semantic version comparison, which could lead to incorrect upgrade decisions. File: SKILL.md Remediation: Use packaging.version.Version for proper semantic version comparison. Consider removing the auto-upgrade subprocess call and instead instructing the user to upgrade manually. If auto-upgrade is needed, avoid --break-system-packages and validate the version string before comparison.

• 🔵 LOW LLM_PROMPT_INJECTION — Indirect Prompt Injection Risk via External Reference Files

  The skill references numerous external guide files (references/.md, assets/.md, templates/.md) that are loaded on demand by the agent. Many of these files were not found in the package (templates/, assets/, SimpleITK.py, idc_index.py, pydicom.py). If these files are fetched from external sources or if the missing files are later populated with malicious content, they could inject instructions into the agent's context. The skill explicitly instructs the agent to 'load on demand' these reference guides, creating a transitive trust path. File: SKILL.md Remediation: Ensure all referenced files are bundled within the skill package and their contents are reviewed. Do not load reference files from external URLs. Validate that missing files (templates/, assets/*) are not fetched from remote sources at runtime.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Manifest Field

  The SKILL.md manifest does not specify the allowed-tools field. The skill instructs the agent to execute Python code (subprocess calls, file I/O, network requests via idc-index and requests library, webbrowser.open), write files (CSV manifests, JSON manifests, NIfTI files), and run bash commands (pip install, idc download CLI). Without declaring allowed-tools, there is no declared boundary on what tools the agent may use. File: SKILL.md Remediation: Add an explicit allowed-tools field to the YAML frontmatter listing the tools this skill requires (e.g., [Python, Bash, Write, Read]) to make the skill's capabilities transparent and auditable.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation Instructions

  The skill instructs users to install packages using pip install --upgrade idc-index without pinning to a specific version in the installation commands (though the metadata specifies idc-index==0.11.14). The optional dependencies (pandas, numpy, pydicom, duckdb) are also installed without version pins. This creates supply chain risk where a compromised or malicious version of these packages could be installed. File: SKILL.md Remediation: Pin all package versions in installation instructions (e.g., pip install idc-index==0.11.14). For optional dependencies, specify tested version ranges or exact versions.

• 🟡 MEDIUM MDBLOCK_PYTHON_SUBPROCESS — Python code block executes shell commands

  Code block in SKILL.md at line 21 contains potentially dangerous Python code. File: SKILL.md:21 Remediation: Review the code block for security implications.

• 🟡 MEDIUM LLM_SUPPLY_CHAIN_ATTACK — Unpinned External Dependency Installed via Git Clone

  The SKILL.md instructions direct users to install the labarchives-py package directly from a GitHub repository without any version pinning, commit hash, or integrity verification. This creates a supply chain risk: if the repository at https://github.com/mcmero/labarchives-py is compromised or modified, malicious code would be installed and executed in the user's environment. The same unpinned GitHub install URL is also referenced in script error messages. File: SKILL.md Remediation: Pin the dependency to a specific commit hash or tag (e.g., pip install git+https://github.com/mcmero/labarchives-py@<commit-sha>). Alternatively, publish the package to PyPI with a pinned version and verify checksums. Document the expected package hash for integrity verification.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Missing License and Compatibility Metadata

  The skill manifest does not specify a license or compatibility field. The license is listed as 'Unknown' and compatibility is 'Not specified'. While this is a minor metadata issue, it reduces transparency about the skill's provenance, usage rights, and intended deployment environments. The skill-author field is present ('K-Dense Inc.') but without a license, users cannot determine usage rights. File: SKILL.md Remediation: Add a valid SPDX license identifier (e.g., license: MIT) and specify compatibility information (e.g., compatibility: Claude.ai, Claude Code, API) in the YAML frontmatter.

• 🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

  Code block in references/api_reference.md at line 217 contains potentially dangerous Python code. File: references/api_reference.md:217 Remediation: Review the code block for security implications.

• 🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

  Code block in references/integrations.md at line 93 contains potentially dangerous Python code. File: references/integrations.md:93 Remediation: Review the code block for security implications.

• 🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

  Code block in references/integrations.md at line 309 contains potentially dangerous Python code. File: references/integrations.md:309 Remediation: Review the code block for security implications.

• 🟡 MEDIUM LLM_DATA_EXFILTRATION — API Credentials Transmitted in HTTP Request Body (Plaintext)

  In scripts/entry_operations.py, the upload_attachment function includes access_key_id and access_password directly in the POST request body as form data fields. While HTTPS is used, embedding credentials in request bodies (rather than using proper authentication headers or the existing client abstraction) increases the risk of credential exposure in server logs, proxy logs, and debugging output. The credentials are sourced from the config file and passed directly into the multipart form data. File: scripts/entry_operations.py Remediation: Use the existing authenticated client object (which already handles credential signing) to perform the upload, rather than manually embedding credentials in the request body. If direct requests are necessary, use HTTP Authorization headers instead of body parameters to reduce credential exposure in logs.

• 🔵 LOW LLM_DATA_EXFILTRATION — Credentials Stored in Plaintext YAML Config File

  The setup_config.py script collects sensitive credentials (access_key_id, access_password, user_email, user_external_password) and writes them to a plaintext config.yaml file. While the script sets file permissions to 0o600, the credentials remain unencrypted on disk. The authentication guide also shows hardcoded credential examples in R code snippets. The skill does recommend environment variables as an alternative but defaults to the plaintext file approach. File: scripts/setup_config.py Remediation: Encourage use of environment variables or system keychain/secret managers as the primary credential storage method rather than a secondary option. Consider integrating with OS keychain (e.g., keyring library) or prompting users to use a secrets manager. Ensure config.yaml is added to .gitignore by default during setup.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing License and Compatibility Metadata

  The skill manifest declares 'license: Unknown' and does not specify compatibility. While not a direct security threat, missing provenance metadata reduces transparency and makes it harder to assess trustworthiness of the skill package. File: SKILL.md Remediation: Add a valid SPDX license identifier (e.g., 'MIT', 'Apache-2.0') and specify compatibility information in the YAML frontmatter.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Multiple Referenced Files Not Found in Skill Package

  The skill references numerous files (templates/data-management.md, templates/workflow-creation.md, templates/verified-workflows.md, latch.py, assets/resource-configuration.md, assets/verified-workflows.md, assets/data-management.md, assets/workflow-creation.md) that are not present in the skill package. This incomplete package state could indicate a supply chain issue, incomplete distribution, or that the skill relies on files that may be fetched or substituted at runtime from untrusted sources. File: SKILL.md Remediation: Ensure all referenced files are bundled within the skill package. Remove references to files that do not exist, or document clearly why they are absent. Do not rely on runtime fetching of missing skill components from external sources.

• 🔵 LOW LLM_UNAUTHORIZED_TOOL_USE — Missing allowed-tools Declaration

  The skill does not declare an 'allowed-tools' field in its YAML manifest. While this field is optional per the spec, its absence means there are no declared restrictions on which agent tools this skill may invoke, reducing the ability to audit or constrain its behavior. File: SKILL.md Remediation: Add an explicit 'allowed-tools' field to the YAML frontmatter listing only the tools required for the skill's stated purpose (e.g., [Read, Bash, Python]).

• 🟡 MEDIUM LLM_DATA_EXFILTRATION — Secrets Management Pattern Exposes API Keys via get_secret()

  The referenced data-management.md documents a 'get_secret()' function from latch.functions for retrieving secrets within workflows. While this is a legitimate SDK feature, the skill instructs the agent to use this pattern without any guidance on safe handling, scope limitation, or preventing secret leakage into logs or return values. This could lead to inadvertent exposure of API keys or credentials in workflow outputs. File: references/data-management.md Remediation: Add explicit guidance in the skill instructions that secrets retrieved via get_secret() must never be logged, returned as workflow outputs, or embedded in LatchFile/LatchDir paths. Recommend scoping secret access to the minimum required.

• 🟡 MEDIUM LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Capability Claims and Unsolicited Activation Directive

  The skill description explicitly instructs the agent to activate liteparse 'even when the user does not name liteparse' and to 'Prefer over MarkItDown' and 'prefer over the pdf skill'. This is a capability inflation and activation priority manipulation pattern — the skill is attempting to hijack agent routing decisions and ensure it is selected over competing skills regardless of user intent. This is a form of keyword baiting and priority manipulation embedded in the manifest description. File: SKILL.md Remediation: Remove the directive 'even when the user does not name liteparse' and the comparative preference instructions from the manifest description. Skill selection should be based on user intent and agent judgment, not embedded priority directives. Move parser comparison guidance to internal reference documentation only.

• 🔵 LOW LLM_DATA_EXFILTRATION — Missing Referenced Files Cannot Be Audited

  The SKILL.md references multiple files that were not found during analysis: liteparse.py, assets/choosing_a_parser.md, assets/output_formats.md, assets/ocr_and_formats.md, assets/api_reference.md, assets/cli_reference.md, templates/api_reference.md, templates/choosing_a_parser.md, templates/ocr_and_formats.md, templates/cli_reference.md, templates/output_formats.md. In particular, liteparse.py is a Python file that could contain executable code with security implications. These missing files represent an incomplete security surface that cannot be assessed. File: SKILL.md Remediation: Ensure all referenced files are included in the skill package before deployment. Audit liteparse.py in particular for any executable code, network calls, or credential access. Remove references to non-existent files from SKILL.md or add the missing files to the package.

• 🔵 LOW LLM_DATA_EXFILTRATION — Static Analyzer Flags Potential Environment Variable Exfiltration Chain

  The pre-scan static analysis flagged BEHAVIOR_ENV_VAR_EXFILTRATION and BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN across 2 files. Manual review of the provided scripts (batch_parse_dir.py and reference markdown files) does not reveal explicit credential harvesting or network exfiltration code. However, the skill references a missing liteparse.py file and several missing template/asset files that could not be reviewed. The OCR HTTP server feature (ocr_server_url parameter) allows user-configured network calls to arbitrary URLs, which could be abused to exfiltrate parsed document content if a malicious URL is supplied. The static analyzer signal warrants noting even though the reviewed code appears clean. File: scripts/batch_parse_dir.py Remediation: Validate and restrict ocr_server_url to localhost/loopback addresses by default, or require explicit user confirmation before sending document content to any non-local OCR server. Document clearly that parsed document bytes are transmitted to the configured OCR server. The missing liteparse.py file referenced in instructions should be audited or removed from the reference list.

• 🔵 LOW LLM_RESOURCE_ABUSE — Unbounded Recursive Directory Traversal in Batch Parse

  The batch_parse_dir.py script with --recursive flag uses glob('**/*') which will traverse the entire directory tree without depth limits. Combined with the broad DEFAULT_EXTENSIONS set (25+ file types) and no max_files limit, a user pointing this at a large directory (e.g., home directory) could trigger unbounded file processing, excessive OCR worker spawning, and significant CPU/memory consumption. There is no timeout, file count cap, or depth limit implemented. File: scripts/batch_parse_dir.py Remediation: Add a --max-files argument to cap the number of files processed. Consider adding a --max-depth argument for recursive traversal. Implement a warning when the file count exceeds a threshold (e.g., 1000 files). Document that --recursive on large directories may consume significant resources.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Overly Broad Skill Description Claiming Equivalence to Top Consulting Firms

  The skill description claims to generate reports 'in the style of top consulting firms (McKinsey, BCG, Gartner)' and states reports 'rival top consulting firm deliverables.' These are marketing claims that inflate perceived capability. The skill generates LaTeX templates with placeholder content and calls other skills for visuals, but the actual analytical content quality depends entirely on the LLM's knowledge and the research-lookup skill's data. Claiming equivalence to McKinsey/BCG deliverables could lead users to over-rely on AI-generated content for high-stakes investment or M&A decisions without appropriate expert review. File: SKILL.md Remediation: Revise the description to accurately characterize the skill as an AI-assisted report generation tool that produces structured templates and analysis frameworks, rather than claiming equivalence to professional consulting deliverables. Add a disclaimer in the skill instructions noting that outputs should be reviewed by domain experts before use in investment or strategic decisions.

• 🔵 LOW LLM_DATA_EXFILTRATION — Static Analyzer False Positive: No Actual Exfiltration Chain Detected

  The pre-scan static analyzer flagged BEHAVIOR_ENV_VAR_EXFILTRATION, BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN, and BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION. After manual review of all provided script content (scripts/generate_market_visuals.py and all referenced files), no actual environment variable harvesting, credential access, or network exfiltration calls were found. The Python script uses subprocess to call other skill scripts (scientific-schematics, generate-image) with image generation prompts, and uses only argparse, os.path, subprocess, sys, and pathlib — all for legitimate local file operations. The static analyzer likely triggered on cross-file subprocess chaining patterns. This is a false positive in the context of this skill's legitimate batch visual generation workflow. File: scripts/generate_market_visuals.py Remediation: No remediation required for this specific finding. The static analyzer flags are false positives. However, consider pinning the paths to sibling skill scripts more strictly to prevent path traversal if user-controlled input ever reaches the script path construction.

• 🟡 MEDIUM LLM_COMMAND_INJECTION — Unvalidated User-Controlled Topic String Passed to Subprocess Commands

  The --topic argument provided by the user is interpolated directly into shell command prompts via Python string .format() and passed as a positional argument to subprocess.run(). While subprocess.run() with a list (not shell=True) prevents shell injection, the topic string is embedded verbatim into the prompt text sent to scientific-schematics and generate-image scripts. If those downstream scripts pass the prompt to a shell command or eval, the unvalidated topic could enable injection. Additionally, the topic string is used in output filenames indirectly through the output directory, and no sanitization or length limits are applied. File: scripts/generate_market_visuals.py:130 Remediation: Sanitize the --topic argument to strip or escape special characters before interpolation. Apply a maximum length limit (e.g., 200 characters). Consider allowlisting safe characters (alphanumeric, spaces, hyphens). Document that the topic is user-supplied and untrusted in the script header.

• 🔵 LOW LLM_RESOURCE_ABUSE — Unbounded Subprocess Execution with 120-Second Timeout Per Visual

  The generate_market_visuals.py script can generate up to 33 visuals (6 core + 27 extended) when run with --all. Each subprocess call has a 120-second timeout. In the worst case, this could consume up to 66 minutes of compute time and spawn 33 subprocesses sequentially. While not an infinite loop, this represents significant resource consumption that could degrade system performance, especially if the downstream scripts (scientific-schematics, generate-image) themselves spawn additional processes or make network calls. File: scripts/generate_market_visuals.py:155 Remediation: Add a --max-visuals flag to cap the number of visuals generated in a single run. Consider adding a global timeout in addition to per-process timeouts. Document the expected runtime in the script's help text so users understand the resource implications of --all.

• 🔵 LOW LLM_COMMAND_INJECTION — Duplicate Tuple Element in EXTENDED_VISUALS Definition

  In the EXTENDED_VISUALS list, the entry for '08_regional_breakdown.png' contains four elements in its tuple instead of three (filename, tool, prompt). The tool field is duplicated ('scientific-schematics' appears twice). This would cause an IndexError or incorrect unpacking when the tuple is destructured as (filename, tool, prompt) in the generate_visual() call loop. File: scripts/generate_market_visuals.py:185 Remediation: Remove the duplicate 'scientific-schematics' string from the tuple for '08_regional_breakdown.png'. The tuple should be (filename, tool, prompt) with exactly three elements.

• 🔵 LOW LLM_COMMAND_INJECTION — Undefined Variable Reference in --only Filter Logic

  In the generate_market_visuals.py script, when the --only flag is used, the filter references the variable VISUALS which is never defined. The script defines CORE_VISUALS and EXTENDED_VISUALS but not a combined VISUALS list. This would cause a NameError at runtime, potentially crashing the script or causing unexpected behavior if an attacker can trigger this code path. File: scripts/generate_market_visuals.py:222 Remediation: Replace VISUALS with CORE_VISUALS + EXTENDED_VISUALS in the --only filter block. Add a unit test or at minimum a comment noting this dependency.

• 🔵 LOW LLM_DATA_EXFILTRATION — Missing Referenced Files May Indicate Incomplete Package

  Several files referenced in the SKILL.md instructions are not found in the skill package: templates/api_guide.md, assets/rules_catalog.md, datamol.py, assets/api_guide.md, medchem.py, templates/rules_catalog.md. While the two primary reference files (references/api_guide.md and references/rules_catalog.md) are present and benign, the missing files could indicate an incomplete package or files that were expected to be fetched from external sources at runtime. The static analyzer flagged cross-file exfiltration chains across 3 files, which warrants noting, though no actual exfiltration code was found in the reviewed scripts. File: SKILL.md Remediation: Ensure all referenced files are bundled within the skill package. Remove references to files that do not exist. If files like datamol.py or medchem.py are intended as local overrides of installed packages, this should be explicitly documented and reviewed carefully, as local files named after installed packages could shadow legitimate library imports.

• 🔵 LOW LLM_DATA_EXFILTRATION — Potential Local File Shadowing via Missing datamol.py and medchem.py

  The referenced file list includes datamol.py and medchem.py, which are not found in the package. If these files were present in the skill's working directory, Python's import system would cause them to shadow the legitimately installed datamol and medchem packages (since the current directory is typically first in sys.path). This could be an attack vector if these files were maliciously crafted to intercept molecular data processed by the skill. Their absence is noted, but their presence in the reference list is suspicious. File: SKILL.md Remediation: Remove references to datamol.py and medchem.py from the skill package documentation if they are not intentional. Ensure the skill's working directory does not contain files named after installed packages. If these are intentional local modules, rename them to avoid shadowing installed packages.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Dependencies

  The installation instructions use unpinned package versions: 'uv pip install medchem datamol'. No version pins are specified for medchem, datamol, pandas, tqdm, or rdkit. The script itself also prints 'Install dependencies: uv pip install medchem datamol pandas tqdm' without version constraints. Unpinned dependencies are vulnerable to supply chain attacks where a malicious version of a dependency could be published to PyPI and automatically installed. File: SKILL.md Remediation: Pin all dependencies to specific versions, e.g., 'uv pip install medchem==2.0.5 datamol==X.Y.Z pandas==X.Y.Z tqdm==X.Y.Z'. Consider providing a requirements.txt or pyproject.toml with pinned versions and hash verification. The SKILL.md already mentions medchem 2.0.5 as the target version but does not enforce it in the install command.

• 🟡 MEDIUM LLM_COMMAND_INJECTION — User-Controlled Query String Passed Directly to QueryFilter Without Sanitization

  The --query argument from the command line is passed directly to mc.query.QueryFilter() without any validation or sanitization. If the medchem query language parser has vulnerabilities (e.g., code injection via crafted SMARTS or query strings), a malicious user could potentially exploit this. Additionally, the --rules, --alerts, --groups, and --smiles-column arguments are passed directly to library functions without input validation beyond a basic unknown-rule warning. The risk depends on the robustness of the medchem library's query parser, but the pattern of passing unsanitized user input to a domain-specific language interpreter warrants attention. File: scripts/filter_molecules.py:248 Remediation: Add input validation for the --query argument. Consider whitelisting allowed query constructs or length-limiting the query string. Validate --rules against the known rule list before passing to the library (a partial check is already done with a warning, but execution still proceeds). Consider wrapping the QueryFilter call in a try/except to handle malformed queries gracefully.

• 🔵 LOW LLM_DATA_EXFILTRATION — API Key Exposed in Inline Code Example

  The SKILL.md instruction body contains an inline Python code example that shows an API key being passed directly as a string literal ('sk-...'). While this is a placeholder/example value and not a real secret, it demonstrates a pattern that could encourage users to hardcode real API keys in their scripts. The example does not include guidance on using environment variables for the actual key value. File: SKILL.md Remediation: Replace the inline placeholder with an environment variable reference, e.g., 'api_key': os.getenv('OPENAI_API_KEY'). Add a note warning users never to hardcode real API keys in scripts.

• 🔵 LOW LLM_DATA_EXFILTRATION — Encryption Key Exposed in Inline Bash Example

  The Quick Start section of SKILL.md shows the OPEN_NOTEBOOK_ENCRYPTION_KEY being set inline in a bash command with a placeholder value. While the value is a placeholder, this pattern could encourage users to set sensitive keys directly in shell history rather than using secure secret management. File: SKILL.md Remediation: Add a note advising users to use a secrets manager or .env file rather than exporting sensitive keys directly in the shell, and to ensure shell history is not logged when setting secrets.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing compatibility Field

  The SKILL.md manifest does not specify a 'compatibility' field. The skill makes network calls to a locally hosted Docker service, which may not be available in all agent environments (e.g., sandboxed or cloud-hosted agents). Without a compatibility declaration, users may attempt to use this skill in environments where the required local Docker service is unavailable. File: SKILL.md Remediation: Add a 'compatibility' field to the YAML frontmatter specifying that this skill requires a locally running Open Notebook Docker instance, e.g., 'compatibility: Requires local Docker deployment of Open Notebook'.

• 🔵 LOW LLM_UNAUTHORIZED_TOOL_USE — Missing allowed-tools Declaration

  The SKILL.md manifest does not declare an 'allowed-tools' field. The skill executes Python scripts that make network requests to a local Open Notebook server. While this is expected behavior for this skill, the absence of an allowed-tools declaration means the agent has no declared boundary on which tools it may use, reducing auditability and the ability to enforce least-privilege access. File: SKILL.md Remediation: Add an explicit 'allowed-tools' field to the YAML frontmatter, e.g., 'allowed-tools: [Python, Bash]', to document the intended tool usage scope.

• 🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

  Code block in SKILL.md at line 61 contains potentially dangerous Python code. File: SKILL.md:61 Remediation: Review the code block for security implications.

• 🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

  Code block in SKILL.md at line 92 contains potentially dangerous Python code. File: SKILL.md:92 Remediation: Review the code block for security implications.

• 🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

  Code block in SKILL.md at line 105 contains potentially dangerous Python code. File: SKILL.md:105 Remediation: Review the code block for security implications.

• 🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

  Code block in SKILL.md at line 126 contains potentially dangerous Python code. File: SKILL.md:126 Remediation: Review the code block for security implications.

• 🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

  Code block in SKILL.md at line 139 contains potentially dangerous Python code. File: SKILL.md:139 Remediation: Review the code block for security implications.

• 🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

  Code block in SKILL.md at line 157 contains potentially dangerous Python code. File: SKILL.md:157 Remediation: Review the code block for security implications.

• 🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

  Code block in SKILL.md at line 174 contains potentially dangerous Python code. File: SKILL.md:174 Remediation: Review the code block for security implications.

• 🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

  Code block in SKILL.md at line 194 contains potentially dangerous Python code. File: SKILL.md:194 Remediation: Review the code block for security implications.

• 🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

  Code block in references/configuration.md at line 116 contains potentially dangerous Python code. File: references/configuration.md:116 Remediation: Review the code block for security implications.

• 🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

  Code block in references/examples.md at line 17 contains potentially dangerous Python code. File: references/examples.md:17 Remediation: Review the code block for security implications.

• 🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

  Code block in references/examples.md at line 98 contains potentially dangerous Python code. File: references/examples.md:98 Remediation: Review the code block for security implications.

• 🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

  Code block in references/examples.md at line 136 contains potentially dangerous Python code. File: references/examples.md:136 Remediation: Review the code block for security implications.

• 🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

  Code block in references/examples.md at line 182 contains potentially dangerous Python code. File: references/examples.md:182 Remediation: Review the code block for security implications.

• 🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

  Code block in references/examples.md at line 231 contains potentially dangerous Python code. File: references/examples.md:231 Remediation: Review the code block for security implications.

• 🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

  Code block in references/examples.md at line 277 contains potentially dangerous Python code. File: references/examples.md:277 Remediation: Review the code block for security implications.

• 🔵 LOW LLM_DATA_EXFILTRATION — Email Address Required as Query Parameter for Multiple APIs

  The skill instructs the agent to include a real email address as a query parameter for Crossref (mailto=) and Unpaywall (email=) APIs. The instructions note 'Use a real email address. Unpaywall rejects placeholder emails like test@example.com with HTTP 422.' This means the agent may use a real user or system email address in outbound HTTP requests to third-party services, potentially exposing PII. The email is transmitted in plaintext URL query parameters which may be logged by intermediaries. Remediation: Clarify in the instructions that the user should provide their own email address for these parameters, rather than the agent using a system or default email. Document that this email will be transmitted to third-party services. Consider making this an explicit user-provided configuration value.

• 🟡 MEDIUM LLM_UNAUTHORIZED_TOOL_USE — Missing Referenced Files Create Undefined Behavior and Potential Trust Gap

  The skill references 30 files across three directory prefixes (references/, templates/, assets/), but only 8 of these files were found. The missing files include critical reference files like assets/pmc.md, assets/arxiv.md, templates/biorxiv.md, templates/pmc.md, and many others. The SKILL.md instructions explicitly state 'Read the relevant reference file before making any API call' for each database. When these files are missing, the agent must proceed without the reference documentation, potentially making incorrect API calls. More critically, if these files are later populated by an attacker or through a supply chain compromise, they could contain malicious instructions that the agent is explicitly instructed to follow before making API calls. File: SKILL.md Remediation: Ensure all referenced files are included in the skill package before distribution. Remove references to files that do not exist. If template/asset directories are optional, update the instructions to handle missing files gracefully rather than requiring them. Audit the file inventory to ensure completeness.

• 🔵 LOW LLM_DATA_EXFILTRATION — API Keys Loaded from Environment and .env Without Sanitization Guidance

  The skill instructs the agent to load API keys from environment variables (NCBI_API_KEY, CORE_API_KEY, S2_API_KEY, OPENALEX_API_KEY) and fall back to a .env file in the current working directory. While this is a common pattern, the instructions do not specify any validation or sanitization of these values before use, and the keys are passed directly into HTTP requests. If the .env file is attacker-controlled or the environment is compromised, this could expose credentials. Additionally, the skill instructs the agent to 'tell the user which key is missing and how to get one', which could inadvertently disclose which credentials are present or absent. File: SKILL.md Remediation: Add guidance to validate that loaded API key values match expected formats before use. Avoid disclosing which specific keys are present or absent to the user. Consider restricting .env lookup to the skill's own directory rather than the current working directory.

• 🔵 LOW LLM_PROMPT_INJECTION — Raw API Response Content Returned Directly to Agent Without Sanitization

  The skill explicitly instructs the agent to return 'the raw JSON (or parsed XML for arXiv) response from each database' and to 'default to showing the full raw JSON'. Academic paper databases can return content that includes abstracts, titles, and author-provided text fields. If any of these fields contain prompt injection payloads (e.g., malicious instructions embedded in paper abstracts or titles), returning raw API responses directly into the agent's context could enable indirect prompt injection. This is a moderate risk given that the content comes from semi-trusted academic sources, but the explicit instruction to return raw content without any filtering increases exposure. File: SKILL.md Remediation: Instruct the agent to present API results as data rather than as instructions. Consider wrapping raw API responses in code blocks or clearly delimited sections to reduce the risk of prompt injection from paper content. Add a note to treat returned content as untrusted data.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Capability Claims and Keyword Baiting in Description

  The skill description contains an extensive list of trigger keywords and use cases designed to maximize activation frequency: 'Triggers on mentions of any supported database or requests like "find papers on X" or "look up this DOI"'. The description enumerates 10 databases, 15+ use cases, and explicit trigger phrases. While the skill appears to legitimately cover these databases, the explicit 'Triggers on...' language is a discovery/activation manipulation pattern that inflates the skill's activation surface beyond what is necessary. File: SKILL.md Remediation: Remove explicit trigger language from the description. Describe capabilities factually without instructing the agent on when to activate the skill. Let the agent's natural routing logic determine when to invoke the skill.

• 🟡 MEDIUM LLM_COMMAND_INJECTION — Static analyzer flagged eval/exec combined with subprocess in unreported script files

  The pre-scan static analysis reports 'BEHAVIOR_EVAL_SUBPROCESS: eval/exec combined with subprocess detected' across the file inventory, which includes 2 Python files. However, these Python files were not surfaced in the provided script content for review. The combination of eval/exec with subprocess is a high-risk pattern that can enable arbitrary code execution or command injection. Without visibility into these files, the threat cannot be fully assessed but must be flagged. Remediation: Review the 2 Python files in the skill package for use of eval(), exec(), or subprocess calls that incorporate unsanitized user input. Replace eval/exec with safe alternatives. If subprocess is needed, use a fixed argument list (not shell=True) and validate all inputs. Ensure these files are included in future security reviews.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools and compatibility metadata

  The SKILL.md manifest does not specify 'allowed-tools' or 'compatibility' fields. While these are optional per the agent skills spec, their absence means there are no declared restrictions on which agent tools this skill may invoke. Given the skill installs and runs a CLI tool (pz) via Bash commands, declaring allowed-tools would improve transparency and auditability. File: SKILL.md Remediation: Add 'allowed-tools: [Bash]' to the YAML frontmatter to explicitly declare that this skill uses Bash execution. Also add a 'compatibility' field describing supported environments.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned third-party CLI installation via Homebrew, Scoop, and external URLs

  The skill instructs the agent to install the 'pz' CLI via Homebrew tap (paperzilla-ai/tap/pz), Scoop bucket from a GitHub repository (https://github.com/paperzilla-ai/scoop-bucket), or an external Linux install guide URL. None of these installation methods pin a specific version, meaning a compromised tap, bucket, or install script could deliver a malicious binary. The supply chain for the CLI tool is not verifiable from within the skill package itself. File: SKILL.md Remediation: Pin the CLI to a specific version (e.g., 'brew install paperzilla-ai/tap/pz@1.2.3' or equivalent). Provide checksum verification for Linux installs. Reference a specific tagged release rather than a mutable install guide URL.

• 🟡 MEDIUM LLM_DATA_EXFILTRATION — Installation Script Fetched from Remote URL Without Integrity Verification

  The setup section instructs the agent to install parallel-cli by piping a remote shell script directly to bash: curl -fsSL https://parallel.ai/install.sh | bash. This pattern downloads and executes arbitrary code from a remote server without any integrity verification (no checksum, no signature verification). If the remote server is compromised or the URL is intercepted (MITM), malicious code would be executed directly on the user's machine with the agent's privileges. File: SKILL.md Remediation: Replace the curl-pipe-bash pattern with a verified installation method. At minimum, provide a checksum to verify the downloaded script before execution. Prefer package manager installation with pinned versions. Document the expected hash of the install script and instruct the agent to verify it before executing.

• 🟡 MEDIUM LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Capability Claims and Aggressive Activation Triggers

  The skill description explicitly instructs the agent to activate for 'ANY web-related task — even if the user doesn't mention parallel or web explicitly.' This is a classic capability inflation / keyword baiting pattern. The description enumerates an extremely broad set of triggers (look something up, fetch a page, enrich a dataset, investigate a topic, find academic papers, check citations, review scientific literature) designed to maximize activation frequency and intercept requests that might otherwise be handled by built-in tools. The phrase 'Use this skill for ANY web-related task' is an explicit priority manipulation directive. File: SKILL.md Remediation: Narrow the description to specific, well-defined use cases. Remove the 'ANY web-related task' language and the instruction to activate even when the user doesn't mention the skill. Avoid enumerating exhaustive trigger phrases designed to maximize activation.

• 🔵 LOW LLM_DATA_EXFILTRATION — API Key Handling via Environment Variable and .env File

  The skill instructs the agent to read PARALLEL_API_KEY from a .env file and pass it to parallel-cli commands. While using environment variables is generally acceptable, the instructions involve running dotenv -f .env run parallel-cli auth which loads the .env file and exposes its contents to the subprocess environment. If the .env file contains other sensitive keys beyond PARALLEL_API_KEY, those would also be exposed to the parallel-cli process. Additionally, the fallback export PARALLEL_API_KEY="your-key" pattern could expose the key in shell history. File: SKILL.md Remediation: Limit .env file loading to only the required key rather than the entire file. Avoid the export KEY=value pattern in shell history. Use a secrets manager or agent-native credential storage where available. Document that the .env file should contain only the minimum required credentials.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation via uv tool install

  The fallback installation method uses uv tool install "parallel-web-tools[cli]" without a pinned version. This means the agent will always install the latest available version of the package, which could be a compromised or malicious version if the package is ever taken over or if a typosquatting package is published. The package name 'parallel-web-tools' is not a widely known package and its provenance is not independently verifiable from the skill alone. File: SKILL.md Remediation: Pin the package to a specific known-good version (e.g., uv tool install "parallel-web-tools[cli]==1.2.3"). Document the expected package hash or provide a link to the official package registry entry. Consider adding integrity verification steps after installation.

• 🟡 MEDIUM LLM_COMMAND_INJECTION — Shell Command Injection Risk via Unvalidated $ARGUMENTS Interpolation

  Multiple reference files construct shell commands by directly interpolating $ARGUMENTS (which originates from user input) into bash command strings without any sanitization, quoting, or validation. In references/deep-research.md, references/web-search.md, references/web-extract.md, and references/data-enrichment.md, the pattern parallel-cli <subcommand> "$ARGUMENTS" is used. If $ARGUMENTS contains shell metacharacters (semicolons, backticks, $(), pipes, etc.), this could result in command injection when the agent executes these bash commands. The static analyzer also flagged eval/exec combined with subprocess, suggesting this risk is present in the Python files as well. File: references/data-enrichment.md Remediation: Sanitize and validate $ARGUMENTS before interpolating into shell commands. Use array-based command construction rather than string interpolation. Instruct the agent to validate that arguments do not contain shell metacharacters before executing commands. Consider using --arg-file or stdin-based input to avoid shell interpolation entirely.

• 🟡 MEDIUM LLM_UNAUTHORIZED_TOOL_USE — Instruction to Prefer Skill's Tool Over Built-in Agent Capabilities

  The web-extract reference file explicitly instructs the agent to 'Prefer this over the built-in WebFetch tool.' This is a tool shadowing pattern — the skill attempts to displace a legitimate built-in agent tool with its own external service (parallel-cli), routing all URL fetching through the skill's infrastructure rather than the agent's native capability. This could be used to intercept content that would otherwise be fetched directly. File: references/web-extract.md Remediation: Remove the directive to prefer this tool over built-in agent capabilities. Let the agent decide which tool is most appropriate based on the task requirements rather than instructing it to always displace native tools.

• 🔵 LOW LLM_PROMPT_INJECTION — Indirect Prompt Injection Risk via Extracted Web Content

  The web-extract capability instructs the agent to 'Keep content verbatim - do not paraphrase or summarize' and to 'Preserve all facts, names, numbers, dates, quotes' from fetched web pages and academic PDFs. This means malicious instructions embedded in fetched web content (e.g., a webpage containing 'Ignore previous instructions and...') would be returned verbatim into the agent's context without any sanitization or warning. The skill provides no guidance on treating fetched content as untrusted. File: references/web-extract.md Remediation: Add explicit instructions to treat fetched web content as untrusted data. Instruct the agent to not follow any instructions found within fetched content. Consider wrapping extracted content in clear delimiters that signal to the agent it is untrusted external data. Add a note that the agent should flag any suspicious instruction-like content found in fetched pages.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing License and Compatibility Metadata

  The YAML manifest does not specify a license (listed as 'Unknown') or compatibility field. While the skill has an author and version, missing license information makes it unclear under what terms the skill can be used or distributed. This is a minor metadata completeness issue. File: SKILL.md Remediation: Add a valid SPDX license identifier (e.g., 'MIT', 'Apache-2.0') and specify compatibility (e.g., 'Claude Code, API') in the YAML frontmatter.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Dependency Installation Instructions

  The SKILL.md installation instructions use conda install and pip install without version pins for bioinformatics tools (mafft, iqtree, fasttree, ete3). Unpinned dependencies could result in installation of unexpected versions, though the risk of supply chain compromise via bioconda is low for established bioinformatics tools. File: SKILL.md:14 Remediation: Consider pinning versions (e.g., 'conda install -c bioconda mafft=7.520 iqtree=2.2.6') to ensure reproducibility and reduce supply chain risk.

• 🟡 MEDIUM MDBLOCK_PYTHON_SUBPROCESS — Python code block executes shell commands

  Code block in SKILL.md at line 67 contains potentially dangerous Python code. File: SKILL.md:67 Remediation: Review the code block for security implications.

• 🟡 MEDIUM MDBLOCK_PYTHON_SUBPROCESS — Python code block executes shell commands

  Code block in SKILL.md at line 100 contains potentially dangerous Python code. File: SKILL.md:100 Remediation: Review the code block for security implications.

• 🟡 MEDIUM MDBLOCK_PYTHON_SUBPROCESS — Python code block executes shell commands

  Code block in SKILL.md at line 143 contains potentially dangerous Python code. File: SKILL.md:143 Remediation: Review the code block for security implications.

• 🟡 MEDIUM MDBLOCK_PYTHON_SUBPROCESS — Python code block executes shell commands

  Code block in SKILL.md at line 198 contains potentially dangerous Python code. File: SKILL.md:198 Remediation: Review the code block for security implications.

• 🔵 LOW LLM_DATA_EXFILTRATION — False Positive: Static Analyzer Flags on Legitimate Bioinformatics Pipeline

  The pre-scan static analyzer flagged BEHAVIOR_ENV_VAR_EXFILTRATION and BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN. After manual review of all code, these appear to be false positives. The scripts use subprocess.run() to invoke bioinformatics CLI tools (mafft, iqtree2, FastTree) and do not read environment variables for exfiltration, nor do they make any network calls to external servers. All file I/O is local (reading FASTA input, writing alignment/tree output files). No credential files (e.g., ~/.aws, ~/.ssh) are accessed. The 'cross-file chain' likely refers to the SKILL.md and script sharing similar subprocess patterns, not an actual exfiltration chain. File: scripts/phylogenetic_analysis.py Remediation: No action required. The static analyzer findings are false positives for this legitimate bioinformatics skill.

• 🔵 LOW LLM_COMMAND_INJECTION — Partial Command Injection Risk via User-Controlled MAFFT Method Argument

  In the script's run_mafft() function, when method != 'auto', the method string is interpolated directly into the command as f'--{method}'. However, in the main() function, the --mafft-method argument is constrained by argparse choices=['auto','linsi','einsi','fftnsi','fftns'], which effectively prevents injection via CLI. If the function is called programmatically with an unsanitized method string, injection into the mafft command arguments is theoretically possible. The risk is low because subprocess.run() with a list (not shell=True) prevents shell injection, but arbitrary mafft flags could be passed. File: scripts/phylogenetic_analysis.py:68 Remediation: Add explicit validation of the method parameter within run_mafft() itself (e.g., assert method in VALID_METHODS) to protect against programmatic misuse. This is already handled at the CLI layer but should be defense-in-depth.

• 🔵 LOW LLM_DATA_EXFILTRATION — Proprietary License Without Complete Terms Bundled

  The skill declares 'Proprietary. LICENSE.txt has complete terms' but the LICENSE.txt file is not included in the analyzed package contents. This is a minor documentation/transparency issue but could indicate incomplete packaging. File: SKILL.md Remediation: Ensure LICENSE.txt is included in the skill package and accessible to users who need to review the terms before use.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Skill Activation Description

  The skill description is extremely broad, instructing the agent to activate 'any time a .pptx file is involved in any way' and to trigger on generic words like 'deck,' 'slides,' or 'presentation.' This over-broad activation scope could cause the skill to intercept conversations where it is not needed, potentially displacing more appropriate skills or consuming unnecessary resources. File: SKILL.md Remediation: Narrow the activation criteria to specific, well-defined tasks rather than triggering on any mention of generic presentation-related words. Consider scoping to explicit user requests to create, edit, or analyze .pptx files.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Dependency Installation Instructions

  The SKILL.md dependencies section instructs users to install packages without version pins (e.g., 'pip install markitdown[pptx]', 'pip install Pillow', 'npm install -g pptxgenjs'). Unpinned dependencies are vulnerable to supply chain attacks where a malicious version of a package could be published and automatically installed. File: SKILL.md Remediation: Pin all dependencies to specific, known-good versions (e.g., 'pip install markitdown[pptx]==0.x.y', 'pip install Pillow==10.x.y', 'npm install -g pptxgenjs@3.x.x'). Consider providing a requirements.txt or package.json with locked versions and checksums.

• 🟡 MEDIUM LLM_COMMAND_INJECTION — Dynamic Compilation and LD_PRELOAD Injection of Native Shim

  The soffice.py script dynamically compiles a C source file using gcc at runtime and loads the resulting shared library via LD_PRELOAD into the LibreOffice subprocess. While the C source is hardcoded in the script, this pattern is architecturally dangerous: it compiles and injects native code into a subprocess, intercepts low-level socket system calls (socket, listen, accept, close, read), and uses _exit(0) to terminate the process. If the _SHIM_SOURCE string were ever modified (e.g., via a supply chain attack or indirect injection), this mechanism could be used to execute arbitrary native code with full system access. File: scripts/office/soffice.py Remediation: Consider shipping the pre-compiled shim as a binary artifact rather than compiling it at runtime. If runtime compilation is required, verify the integrity of the compiled output (e.g., checksum), restrict the temp directory permissions, and ensure the shim .so file cannot be replaced between compilation and use. Additionally, validate that gcc is available and trusted before invoking it.

• 🔵 LOW LLM_DATA_EXFILTRATION — Environment Variable Copying in soffice.py

  The soffice.py helper calls os.environ.copy() to clone the entire process environment and passes it to subprocess calls. While this is a common pattern for subprocess invocation, it means all environment variables (including potentially sensitive ones like API keys, tokens, AWS credentials, etc.) are forwarded to the soffice subprocess. This is not an active exfiltration attempt but represents an unnecessary exposure of the full environment to an external process. File: scripts/office/soffice.py Remediation: Consider constructing a minimal environment for the soffice subprocess rather than copying the full environment. Only pass variables that LibreOffice actually requires (e.g., HOME, PATH, DISPLAY, SAL_USE_VCLPLUGIN, LD_PRELOAD).

• 🟡 MEDIUM LLM_DATA_EXFILTRATION — Static Analyzer Flags Cross-File Environment Variable Exfiltration Chain

  The pre-scan static analysis detected patterns consistent with environment variable access combined with network calls across multiple files (BEHAVIOR_ENV_VAR_EXFILTRATION, BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN, BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION across 2 files). While the reviewed reference files do not contain explicit malicious code, the static analyzer identified 8 total files including 2 Python files that were not surfaced in the skill content provided for review. These unreferenced or hidden Python scripts may contain credential harvesting logic that reads environment variables (e.g., API tokens, AWS credentials) and transmits them via the protocols.io API network calls as a side channel. File: SKILL.md Remediation: Audit all Python files in the skill package for environment variable access (os.environ, os.getenv) combined with network calls (requests.post, requests.get to non-protocols.io domains). Ensure no script reads credentials or sensitive environment variables and transmits them externally. All network calls should be limited to https://protocols.io/api/v3 only.

• 🔵 LOW LLM_DATA_EXFILTRATION — Missing License and Compatibility Metadata

  The skill manifest does not specify a license or compatibility field. While these are optional fields, their absence reduces transparency about the skill's provenance, intended deployment environment, and usage rights. The skill author is listed as 'K-Dense Inc.' but no license is provided, which could create legal ambiguity for users deploying this skill. File: SKILL.md Remediation: Add a valid SPDX license identifier (e.g., 'MIT', 'Apache-2.0') and specify compatibility (e.g., 'Claude.ai, Claude Code, API') in the YAML frontmatter.

• 🔵 LOW LLM_DATA_EXFILTRATION — Token Handling Guidance Relies on User Discipline Without Enforcement

  The skill instructs users to store access tokens securely and never put them in code or version control, but provides Python code examples using placeholder strings like 'YOUR_ACCESS_TOKEN' directly in code. While these are examples, the pattern normalizes inline token usage and could lead users to inadvertently hardcode real tokens in scripts derived from these examples. File: SKILL.md Remediation: Update code examples to demonstrate secure token retrieval patterns, such as reading from environment variables (os.environ.get('PROTOCOLS_IO_TOKEN')) or a secrets manager, rather than inline string assignment.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Capability Description Enabling Excessive Activation

  The skill description is extremely broad, covering protocol discovery, creation, updating, publishing, step management, materials, discussions, workspaces, file management, experiment tracking, and integration projects. While this matches the actual documented functionality, the description is designed to trigger activation across a very wide range of scientific workflow scenarios, potentially causing the skill to be invoked more broadly than necessary. File: SKILL.md Remediation: Narrow the description to the most common use cases. Avoid listing every possible scenario in the activation description to reduce unnecessary skill invocation.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Multiple Missing Referenced Files Create Undefined Behavior Risk

  The skill references numerous files that do not exist in the package: assets/additional_features.md, assets/protocols_api.md, templates/workspaces.md, assets/workspaces.md, templates/discussions.md, assets/discussions.md, templates/authentication.md, templates/protocols_api.md, assets/file_manager.md, templates/file_manager.md, templates/additional_features.md. When the agent attempts to read these files and fails, it may fall back to hallucinated or incorrect API guidance, potentially leading to incorrect API calls or security misconfigurations. File: SKILL.md Remediation: Remove references to non-existent files from the skill instructions. Consolidate all reference files into a single consistent directory structure (e.g., only 'references/') and ensure all referenced files are present in the package.

• 🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

  Code block in SKILL.md at line 283 contains potentially dangerous Python code. File: SKILL.md:283 Remediation: Review the code block for security implications.

• 🟡 MEDIUM MDBLOCK_PYTHON_HTTP_POST — Python code block sends HTTP POST request

  Code block in SKILL.md at line 310 contains potentially dangerous Python code. File: SKILL.md:310 Remediation: Review the code block for security implications.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Manifest Field

  The SKILL.md manifest does not specify the 'allowed-tools' field. While this field is optional per the spec, its absence means there are no declared restrictions on which agent tools (Bash, Python, Read, Write, etc.) this skill may invoke. The skill executes Python scripts and Bash commands, so declaring allowed tools would improve transparency and reduce the attack surface. File: SKILL.md Remediation: Add an explicit 'allowed-tools' field to the YAML frontmatter listing the tools actually needed (e.g., [Python, Bash, Read, Write]) to document and constrain the skill's capabilities.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — No Version Pinning for pufferlib Dependency

  The installation instruction uses 'uv pip install pufferlib' without specifying a version pin. This means the skill will always install the latest available version, which could introduce breaking changes or, in a supply chain attack scenario, a compromised package version. File: SKILL.md Remediation: Pin the dependency to a specific version (e.g., 'uv pip install pufferlib==0.x.y') and verify package integrity via checksums or a lockfile.

• 🔵 LOW LLM_DATA_EXFILTRATION — Neptune API Token Stored in Logger Configuration

  The Neptune API token passed via CLI is stored in the trainer configuration dict (vars(args)) and passed to WandbLogger/NeptuneLogger as part of config. This may cause the token to be logged to experiment tracking systems, potentially exposing credentials in run metadata. File: scripts/train_template.py:113 Remediation: Ensure the neptune_token is excluded from any config dict that gets logged. Use a dedicated secrets retrieval mechanism rather than passing tokens through the argument namespace.

• 🟡 MEDIUM LLM_DATA_EXFILTRATION — Neptune API Token Passed via Command-Line Argument

  The training script accepts a Neptune API token via a command-line argument (--neptune-token). Passing secrets as CLI arguments exposes them in process listings, shell history, and logs. While not hardcoded, this pattern encourages insecure secret handling and could lead to credential exposure in shared or logged environments. File: scripts/train_template.py:176 Remediation: Use environment variables or a secrets manager for API tokens. Read the token from os.environ.get('NEPTUNE_API_TOKEN') rather than accepting it as a CLI argument. Document this secure pattern in the template.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Dependencies

  The SKILL.md installation instructions use unpinned package versions (e.g., 'uv pip install pymatgen', 'uv pip install mp-api'). The version requirements in the skill only specify minimum versions ('pymatgen >= 2023.x', 'mp-api') without exact pins. This creates a supply chain risk where a future compromised or malicious version of these packages could be installed. The scripts also dynamically import 'yaml' without version pinning. File: SKILL.md Remediation: Pin exact package versions in installation instructions (e.g., 'uv pip install pymatgen==2024.x.x mp-api==0.x.x'). Consider providing a requirements.txt or pyproject.toml with pinned dependencies and hash verification.

• 🔵 LOW LLM_DATA_EXFILTRATION — API Key Accessed from Environment Variable and Passed to External Service

  The phase_diagram_generator.py script reads the MP_API_KEY environment variable and passes it directly to MPRester, which makes network calls to the Materials Project API. While this is the documented and expected behavior for this skill (Materials Project integration is the stated purpose), the static analyzer flagged this as a potential env var exfiltration chain. In context, this is legitimate: the API key is used solely to authenticate with the official Materials Project API (materialsproject.org), not an attacker-controlled endpoint. The skill metadata explicitly declares MP_API_KEY as a required environment variable. This is LOW severity as it represents expected behavior, but users should be aware their API key is transmitted to an external service. File: scripts/phase_diagram_generator.py:47 Remediation: This is expected behavior for Materials Project integration. Ensure the MP_API_KEY is scoped appropriately and that users understand it is transmitted to materialsproject.org. Consider documenting that the key is only used with the official Materials Project API endpoint.

• 🔵 LOW LLM_DATA_EXFILTRATION — User-Provided File Paths Passed Directly to Structure Parsers

  In structure_converter.py and structure_analyzer.py, user-supplied file paths are passed directly to pymatgen's Structure.from_file() without path sanitization or validation beyond checking if the file exists. While pymatgen's parsers are generally safe, a maliciously crafted structure file (e.g., a CIF file with embedded code or path traversal in filenames) could potentially cause issues. The batch conversion also uses glob patterns from user input without restriction. File: scripts/structure_converter.py:44 Remediation: Validate that input file paths are within expected directories. Consider restricting glob patterns to prevent directory traversal. Validate file extensions against a whitelist of supported formats before passing to parsers.

• 🟡 MEDIUM BEHAVIOR_ENV_VAR_HARVESTING — Environment variable harvesting detected

  Script iterates through environment variables in skills/pymatgen/scripts/phase_diagram_generator.py File: skills/pymatgen/scripts/phase_diagram_generator.py Remediation: Remove environment variable collection unless explicitly required and documented

• 🟡 MEDIUM MDBLOCK_PYTHON_SUBPROCESS — Python code block executes shell commands

  Code block in references/identification.md at line 303 contains potentially dangerous Python code. File: references/identification.md:303 Remediation: Review the code block for security implications.

• 🟡 MEDIUM LLM_DATA_EXFILTRATION — Static Analyzer Flags Environment Variable Exfiltration Chain in Associated Scripts

  The pre-scan static analysis flagged BEHAVIOR_ENV_VAR_EXFILTRATION, BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN, and BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION across 2 files (3 Python scripts total, none shown in the provided content). The SKILL.md references the 'scientific-schematics' skill's generate_schematic.py script and requires OPENROUTER_API_KEY. The static analyzer detected environment variable access combined with network calls across multiple files. Since the Python scripts were not provided for direct inspection, the exact nature of the env var access and network calls cannot be fully verified, but the pattern is consistent with reading OPENROUTER_API_KEY from the environment and transmitting it to the OpenRouter API. This is expected behavior for the stated functionality but warrants review to confirm no additional env vars (credentials, secrets) are harvested beyond what is needed. File: SKILL.md Remediation: Review the Python scripts (generate_schematic.py and any helper files) to confirm that only OPENROUTER_API_KEY is read from the environment and that no other environment variables (AWS credentials, SSH keys, other API tokens) are accessed. Ensure the API call sends only the user's diagram prompt and not any additional system context or environment data.

• 🔵 LOW LLM_DATA_EXFILTRATION — Third-Party API Transmission Disclosure for Optional Diagram Generation

  The SKILL.md instructions note that the optional scientific-schematics skill sends user prompts to OpenRouter (a third-party API) when generating diagrams. The skill appropriately discloses this in a 'Disclosure' note and makes it opt-in (only when user explicitly requests a diagram). The compatibility field also mentions OPENROUTER_API_KEY and outbound API access. This is a low-severity informational finding because the disclosure is present and the feature is optional, but users should be aware that prompt content is transmitted externally. File: SKILL.md Remediation: The disclosure is already present and appropriate. No remediation required. Consider reinforcing the disclosure at the point of invocation in the scientific-schematics skill itself.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Several Referenced Internal Files Not Found

  The SKILL.md references numerous internal files (assets/evidence_hierarchy.md, templates/common_biases.md, assets/logical_fallacies.md, templates/statistical_pitfalls.md, templates/logical_fallacies.md, templates/scientific_method.md, assets/experimental_design.md, assets/statistical_pitfalls.md, templates/evidence_hierarchy.md, assets/common_biases.md, templates/experimental_design.md, assets/scientific_method.md) that were not found in the skill package. While the core reference files (references/*.md) are present and well-formed, the missing files could cause the agent to fail silently or attempt to locate them from unexpected sources if instructed to grep or load them. File: SKILL.md Remediation: Remove references to non-existent files from the instructions, or add the missing files to the skill package. Ensure the grep command example ('grep -r "pattern" references/') only targets directories that exist to avoid unexpected behavior.

• 🔵 LOW LLM_UNAUTHORIZED_TOOL_USE — Missing allowed-tools Declaration for Referenced Bash Command Execution

  The SKILL.md declares allowed-tools as 'Read Write Edit' but the instructions include a bash command example invoking 'python scripts/generate_schematic.py' via a bash code block. While this is presented as an example command for the user to run rather than a direct agent tool invocation, the allowed-tools list does not include 'Bash' or 'Python', which could create ambiguity about whether the agent is expected to execute this command directly. If the agent interprets the bash block as an instruction to execute, it would violate the declared tool restrictions. File: SKILL.md Remediation: Clarify in the instructions whether the bash block is for the user to run manually or for the agent to execute. If the agent should execute it, add 'Bash' and 'Python' to allowed-tools. If it is user-facing only, add a note such as 'Run this command yourself in your terminal' to prevent agent misinterpretation.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Multiple Missing Referenced Files May Indicate Incomplete Package

  The skill references numerous files that are not present in the package: templates/code-generation-printing.md, assets/advanced-topics.md, sympy.py, scipy.py, assets/physics-mechanics.md, templates/physics-mechanics.md, assets/matrices-linear-algebra.md, templates/matrices-linear-algebra.md, assets/core-capabilities.md, matplotlib.py, templates/core-capabilities.md, templates/advanced-topics.md, assets/code-generation-printing.md. While missing internal reference files are not inherently malicious, the large number of missing files (13 out of ~18 referenced) suggests the package is incomplete. The static analyzer flagged cross-file exfiltration chains involving 3 files, but no actual script files were found in the package. This discrepancy between static analyzer flags and actual content warrants noting. File: SKILL.md Remediation: Ensure all referenced files are included in the skill package. If files are intentionally omitted, remove references to them from SKILL.md to avoid confusion.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation Instructions

  The SKILL.md installation section uses 'sympy>=1.14' (a minimum version constraint, not a pinned version) for the uv pip install command. Optional dependencies (numpy, scipy, matplotlib) are installed with no version constraints at all. Unpinned dependencies are vulnerable to supply chain attacks where a malicious version of a package could be installed if a newer version is published by a compromised maintainer or via typosquatting. File: SKILL.md Remediation: Pin all dependencies to exact versions (e.g., 'sympy==1.14.0', 'numpy==2.x.x'). Use a lockfile (e.g., uv.lock or requirements.txt with hashes) to ensure reproducible and verifiable installs.

• 🟡 MEDIUM LLM_COMMAND_INJECTION — parse_expr() Eval-Based Parsing Documented Without Adequate Guardrails in Examples

  The references/code-generation-printing.md file documents use of SymPy's parse_expr() function, which uses Python eval() internally. While the file does include security warnings, the Pattern 3 example ('Interactive Computation') contains a validation regex that is insufficient: it rejects strings containing '(' which would block virtually all valid math expressions (e.g., 'sin(x)'), suggesting the guard is broken/untested. Additionally, the regex check re.search(r'__|import|=|\(', s) would reject the parenthesis character, making the validator reject nearly all SymPy expressions. If an agent follows this pattern and attempts to work around the broken validator, it may fall back to unvalidated eval. The skill instructs agents to use parse_expr on user-provided input in interactive scenarios. File: references/code-generation-printing.md Remediation: Fix the validation regex to not reject '(' (parentheses are required for valid math expressions). The correct approach is to use an allowlist of permitted characters (digits, letters, operators, parentheses, spaces) rather than a blocklist. Consider using SymPy's sympify with a restricted local_dict instead of parse_expr for user input.

• 🟡 MEDIUM LLM_DATA_EXFILTRATION — Static Analysis Flags Environment Variable Exfiltration Pattern Across Missing Python Files

  The pre-scan static analyzer detected BEHAVIOR_ENV_VAR_EXFILTRATION (environment variable access combined with network calls) and BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION across 3 files. The skill's SKILL.md explicitly discusses HF_TOKEN environment variable handling and instructs users to set tokens via environment variables. The two missing Python files (huggingface_hub.py and transformers.py) are the most likely candidates for the flagged behavior. If these scripts read environment variables (including HF_TOKEN, AWS credentials, or other secrets) and transmit them over the network, this would constitute credential exfiltration. The skill cannot be fully cleared without reviewing these files. File: SKILL.md Remediation: Locate and review huggingface_hub.py and transformers.py before use. Verify that any environment variable reads (os.environ, os.getenv) are used only for legitimate authentication with the Hugging Face Hub and not transmitted to third-party endpoints. Confirm network calls go only to huggingface.co and not to attacker-controlled infrastructure.

• 🔵 LOW LLM_PROMPT_INJECTION — trust_remote_code=True Instruction May Enable Indirect Prompt/Code Injection via Hub Model Cards

  The SKILL.md instructs users to use trust_remote_code=True when loading models that require custom code. This parameter allows arbitrary Python code bundled with a Hub model to execute on the user's machine. A malicious or compromised model on the Hub could include custom modeling code that exfiltrates data, reads credentials, or performs other harmful actions. The skill's guidance to use this parameter 'only when the model card requires custom code you have reviewed' is appropriate but may not be followed in practice. File: SKILL.md Remediation: Strengthen the warning around trust_remote_code=True. Add explicit guidance that this parameter executes arbitrary third-party Python code and should be treated as equivalent to running an untrusted script. Recommend sandboxing or code review before use. Consider flagging this as a high-risk operation requiring explicit user confirmation.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Multiple Missing Referenced Files May Indicate Incomplete or Misleading Skill Package

  The skill references numerous files that are not present in the package: templates/models.md, assets/tokenizers.md, assets/training.md, assets/pipelines.md, huggingface_hub.py, templates/tokenizers.md, assets/models.md, transformers.py, templates/pipelines.md, templates/generation.md, templates/training.md, and assets/generation.md. Notably, two Python files (huggingface_hub.py and transformers.py) are referenced but not found. The static pre-scan flags cross-file exfiltration chains and environment variable exfiltration across 3 files, suggesting the missing scripts may be the source of these signals. The absence of these files prevents full security analysis of the skill's actual behavior. File: SKILL.md Remediation: Audit and include all referenced files in the skill package. Specifically, obtain and review huggingface_hub.py and transformers.py before deploying this skill, as the static analyzer flagged cross-file exfiltration chains involving Python files. Do not deploy skills with missing referenced scripts.

• 🔵 LOW LLM_DATA_EXFILTRATION — Missing allowed-tools Declaration

  The skill does not declare an allowed-tools field in its YAML manifest. While this field is optional per the agent skills spec, its absence means there are no declared restrictions on what tools the agent may use when executing this skill. Given the pre-scan static analysis flags indicating potential environment variable exfiltration and cross-file exfiltration chains in the broader skill repository context, the absence of tool restrictions is worth noting. File: SKILL.md Remediation: Add an explicit allowed-tools declaration to limit the skill to only the tools it legitimately needs (e.g., Read for accessing reference files). This provides a defense-in-depth layer against unintended tool use.

• 🔵 LOW LLM_HARMFUL_CONTENT — Pseudoscientific Framing in Skill Instructions

  The skill references 'IDNA v2 / Unified Digital Consciousness Theory' and the 'What-If Paradigm' as published research, and includes claims such as 'Nature uses this ratio [golden ratio] for branching (trees, rivers, blood vessels). Strategic planning can too.' These claims blend legitimate scenario planning methodology with pseudoscientific framing (consciousness theory applied to AI decision-making, golden ratio as a strategic planning principle). While not directly harmful, this framing could mislead users into treating speculative outputs as scientifically grounded predictions. File: SKILL.md Remediation: Remove or clearly caveat pseudoscientific claims. The skill already includes a 'What This Is NOT' section with appropriate disclaimers; extend this to cover the theoretical framing. Avoid presenting speculative frameworks as established scientific research.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Capability Claims in Description

  The skill description claims to handle a wide range of speculative and strategic analysis tasks ('uncertain futures, strategic forks, contingency planning, stress-testing a decision'). While this is not inherently malicious, the description is broad enough to trigger activation across many unrelated user queries involving uncertainty or decision-making, potentially inflating the skill's activation surface beyond its intended scope. File: SKILL.md Remediation: Narrow the description to more specific trigger conditions to avoid over-broad activation. Define clear boundaries for when the skill should and should not activate.

• 🟡 MEDIUM LLM_DATA_EXFILTRATION — Pre-Scan Static Analysis Flags Potential Exfiltration Patterns in Repository

  The pre-scan static analysis context reports findings of BEHAVIOR_ENV_VAR_EXFILTRATION (environment variable access with network calls detected), BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN (cross-file exfiltration chain across 2 files), and BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION (cross-file env var exfiltration across 2 files). The file inventory indicates 5 Python files and 12 other files exist in the repository, but no script files were provided for analysis of this specific skill. The skill package itself (SKILL.md + references/scenario-templates.md) appears clean, but the broader repository context raises concern about co-located malicious scripts that could be invoked or interact with this skill. File: references/scenario-templates.md Remediation: Audit all 5 Python files and 12 other files in the repository for the flagged exfiltration patterns. Identify which files are involved in the cross-file exfiltration chain and remove or remediate them before deploying this skill package. Ensure no Python scripts in the repository can be inadvertently invoked by the agent when running this skill.

• 🔵 LOW LLM_DATA_EXFILTRATION — Proprietary License Without Complete Terms Bundled

  The YAML manifest declares 'license: Proprietary. LICENSE.txt has complete terms' but the LICENSE.txt file is not included in the analyzed skill package files. Users installing this skill cannot verify the terms under which it operates, and the skill author (K-Dense Inc.) retains undisclosed rights over the skill's behavior and data handling. This is an informational concern rather than an active threat, but proprietary licensing of agent skills warrants scrutiny. File: SKILL.md Remediation: Ensure LICENSE.txt is bundled with the skill package and is readable before installation. Consider using an open-source license for agent skills to allow security auditing of terms.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Dependencies in Installation Instructions

  The SKILL.md installation instructions use 'uv pip install openpyxl pandas' and 'uv pip install python-calamine' and 'uv pip install defusedxml' without version pins. Unpinned dependencies are vulnerable to supply chain attacks where a malicious package version could be published and automatically installed. The skill also references 'openpyxl.py' as a referenced file that was not found, which may indicate a missing or misreferenced internal file. File: SKILL.md Remediation: Pin all dependencies to specific versions, e.g., 'uv pip install openpyxl==3.1.5 pandas==2.2.2 defusedxml==0.7.1'. Consider providing a requirements.txt or pyproject.toml with pinned versions and hash verification. Investigate the missing 'openpyxl.py' referenced file.

• 🟡 MEDIUM LLM_COMMAND_INJECTION — Dynamic Compilation and LD_PRELOAD Injection of Native Shared Library

  The soffice.py script compiles a C source file at runtime using gcc and then injects the resulting shared library via LD_PRELOAD into LibreOffice subprocesses. While the C source (_SHIM_SOURCE) is hardcoded within the script and hash-verified before use, this pattern is inherently risky: (1) it executes gcc as a subprocess with user-controlled paths, (2) the compiled .so is placed in a user-writable cache directory (~/.cache/xlsx-skill/lo-shim/), and (3) LD_PRELOAD injection intercepts low-level socket calls (socket, listen, accept, close, read) in the LibreOffice process. If an attacker can replace the cached .so or manipulate the source before compilation, arbitrary code could execute within LibreOffice's process space. The hash check only verifies the source matches the embedded string, not that the compiled binary is untampered. File: scripts/office/soffice.py Remediation: 1. Verify the compiled .so hash (not just the source hash) after compilation. 2. Consider using a pre-compiled, signed binary distributed with the skill package instead of runtime compilation. 3. Ensure _SHIM_DIR permissions are set to 0o700 before writing (already done, but verify atomicity). 4. Consider whether this functionality is necessary for the skill's core purpose and whether it can be disabled by default.

• 🔵 LOW LLM_DATA_EXFILTRATION — Selective Environment Variable Filtering in LibreOffice Subprocess Environment

  The get_soffice_env() function in scripts/office/soffice.py constructs a minimal environment for LibreOffice subprocesses by whitelisting specific environment variable keys. While this is a security-positive pattern (avoiding full os.environ passthrough), the static analyzer flagged a cross-file env var exfiltration chain. The actual behavior is benign: the function filters to only PATH, HOME, LANG, LC_ALL, LC_CTYPE, TMPDIR, TMP, TEMP, USER — none of which are sensitive credentials. No network calls are made with these variables. The subprocess runs soffice locally. This is a false positive from the static analyzer, but worth noting for completeness. File: scripts/office/soffice.py Remediation: No remediation required. The implementation is already following the principle of least privilege by whitelisting only necessary environment variables. The docstring explicitly notes this is to avoid copying secrets.

• 🔵 LOW LLM_RESOURCE_ABUSE — Unbounded Recursive Directory Traversal in Validators

  Multiple validator scripts (base.py, merge_runs.py, simplify_redlines.py) use rglob('.xml') and rglob('.rels') to traverse all XML files in the unpacked directory. If a maliciously crafted Office file contains a deeply nested directory structure or a very large number of XML files, this could cause excessive memory consumption or CPU exhaustion. The unpack.py script extracts ZIP archives without checking for zip bombs or path traversal attacks before processing. File: scripts/office/validators/base.py Remediation: 1. Add a limit on the number of XML files processed (e.g., max 1000 files). 2. Use defusedxml or check for zip bombs before extraction (check uncompressed size vs compressed size ratio). 3. Add path traversal protection when extracting ZIP archives (verify all extracted paths are within the output directory). 4. Consider using zipfile's extractall with a filter in Python 3.12+ to prevent path traversal.

• 🟡 MEDIUM LLM_DATA_EXFILTRATION — Static Analyzer Flags Environment Variable Access with Network Calls

  The pre-scan static analysis detected BEHAVIOR_ENV_VAR_EXFILTRATION and BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION patterns across 2 files, indicating that environment variable access is combined with network calls. While no explicit script files were provided for review, the static analyzer found a cross-file exfiltration chain. This suggests hidden script files (possibly among the 5 Python files in the inventory) may be reading environment variables (potentially containing credentials, API keys, or tokens) and transmitting them externally. The skill's stated purpose (Zarr array management) does not require reading environment variables for exfiltration. Remediation: Audit all 5 Python files in the skill package for environment variable reads (os.environ, os.getenv) combined with network calls (requests, urllib, httpx, socket). Remove any code that reads credentials or environment variables and transmits them to external endpoints. Ensure cloud credential handling follows the documented pattern of delegating to fsspec/provider SDKs only.

• 🟡 MEDIUM LLM_SUPPLY_CHAIN_ATTACK — Unpinned or Loosely-Pinned Dependency Guidance Could Enable Supply Chain Attack

  While the skill does recommend pinned versions in some places (zarr==3.2.1, s3fs==2026.4.0, gcsfs==2026.5.0), it also explicitly suggests using version ranges like zarr>=3,<4 in certain scenarios. For a skill targeting scientific computing pipelines with cloud storage access (S3/GCS), unpinned dependencies create a supply chain risk where a compromised package version could be automatically installed. File: SKILL.md Remediation: Consistently recommend exact version pins for all dependencies, especially those with cloud storage access. Discourage version ranges without lockfiles in security-sensitive contexts. Add explicit guidance to always use lockfiles (uv.lock, requirements.txt with hashes) when deploying in production environments.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Skill References Non-Existent Python Module Files as Imports

  The skill's referenced files list includes h5py.py, xarray.py, zarr.py, and dask.py which are not found in the skill package. These names shadow well-known third-party packages (h5py, xarray, zarr, dask). If these files existed, they could intercept imports of those packages. Their absence is noted but the naming pattern is suspicious and could indicate an incomplete or partially-deployed supply chain attack via module shadowing. File: SKILL.md Remediation: Confirm these files do not exist in the skill package directory. If they do exist, audit their contents carefully as they would shadow legitimate package imports. Remove any local .py files that share names with third-party packages unless intentional and reviewed.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing Files Referenced in Skill Instructions May Indicate Incomplete Package

  Several files referenced in the skill instructions are not found: templates/api_reference.md, assets/api_reference.md, assets/v3_migration.md, templates/v3_migration.md. The file inventory shows 33 total files but many referenced paths are missing. This discrepancy between claimed and actual content could indicate an incomplete package or that the skill was designed to reference external or dynamically-fetched content. File: SKILL.md Remediation: Ensure all files referenced in SKILL.md instructions are bundled within the skill package. Remove references to non-existent files or add the missing files. Audit the 33 files in the package inventory to understand what files are present but not disclosed in the analysis.

• 🔵 LOW LLM_DATA_EXFILTRATION — Missing Referenced Script File (adaptyv.py)

  The skill references adaptyv.py in its instructions but the file was not found in the skill package. This missing file could indicate an incomplete package where security-relevant code (API key handling, network calls) cannot be audited. If the file is later added without review, it could introduce data exfiltration or credential theft risks. File: SKILL.md Remediation: Ensure all referenced files are included in the skill package and subject to security review before distribution. Remove references to non-existent files or document their optional nature clearly.

• 🔵 LOW LLM_PROMPT_INJECTION — Instruction to Fetch and Follow External Documentation Sources

  The skill instructs the agent to reference external URLs including an llms.txt index, OpenAPI spec, and official docs. While these are legitimate Adaptyv-owned resources, fetching and acting on external content at runtime introduces indirect prompt injection risk if those external resources were ever compromised or returned unexpected content. The OpenAPI spec URL in particular (/openapi.json) could theoretically contain embedded instructions if the endpoint were compromised. File: SKILL.md Remediation: Avoid instructing the agent to fetch and parse external documentation at runtime. Bundle necessary reference material locally (as done with references/api-endpoints.md) rather than directing the agent to live external URLs that could be compromised or return unexpected content.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Overly Broad Skill Activation Triggers

  The skill description contains an extensive list of activation triggers including generic terms like 'protein binding assays', 'protein screening experiments', and code import patterns. While these are legitimate use cases, the breadth of triggers (including monitoring for specific import statements like adaptyv, adaptyv_sdk, FoundryClient) could cause the skill to activate in contexts where it is not needed, potentially exposing API key handling logic unnecessarily. File: SKILL.md Remediation: Narrow the activation triggers to the most specific and unambiguous terms (e.g., 'Adaptyv', 'Foundry API', 'FoundryClient') and remove overly generic scientific terms that could cause false-positive activations.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned GitHub Dependency Installation

  The skill instructs installation of the adaptyv-sdk package directly from a GitHub repository without pinning to a specific commit hash or tag. This means any future changes to the repository (including potentially malicious ones) would be silently pulled in on fresh installs. The package is described as beta (0.1.0) and not yet on PyPI, increasing supply chain risk. File: SKILL.md Remediation: Pin the installation to a specific commit hash or release tag, e.g.: git+https://github.com/adaptyvbio/adaptyv-sdk.git@v0.1.0 or git+https://github.com/adaptyvbio/adaptyv-sdk.git@<commit-sha>. Once the package is published to PyPI with a stable release, prefer adaptyv-sdk==0.1.0 with hash verification.

• 🔵 LOW LLM_DATA_EXFILTRATION — Missing allowed-tools Restriction for Network Access

  The skill's allowed-tools field lists 'Read Write Edit Bash', which permits Bash execution. The skill instructions reference downloading datasets from external sources (UCR/UEA archives, Zenodo, timeseriesclassification.com, forecastingdata.org) and installing packages via uv pip. While this is expected behavior for a data science skill, there is no explicit documentation or restriction on what network endpoints are permissible, leaving the door open for unintended network access during agentic execution. File: SKILL.md Remediation: Document expected network endpoints in the skill manifest or instructions. Consider adding a note that Bash usage should be limited to package installation and local execution, not arbitrary network calls.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Multiple Missing Referenced Files May Cause Unexpected Behavior

  The skill references numerous files (aeon.py, matplotlib.py, sklearn.py, and many assets/templates/*.md files) that are not found in the package. These missing files could cause the agent to search for or attempt to load external resources, or could indicate incomplete packaging. The presence of filenames like 'aeon.py', 'matplotlib.py', and 'sklearn.py' is particularly notable as these shadow well-known library names and could cause import confusion if they existed. File: SKILL.md Remediation: Ensure all referenced files are included in the skill package. Remove references to non-existent files. Rename any files that shadow standard library names (aeon.py, matplotlib.py, sklearn.py) to avoid import namespace collisions.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Version Range for aeon Package Installation

  The skill recommends installing aeon with a version range ('aeon>=1.4,<2') rather than a fully pinned version. While this is better than no pinning at all, it still allows minor version updates that could introduce breaking changes or, in a supply chain attack scenario, a compromised minor release. The same applies to the 'aeon[all_extras]>=1.4,<2' variant. File: SKILL.md Remediation: Pin to an exact version for maximum reproducibility and supply chain safety, e.g., 'uv pip install aeon==1.4.0'. Document the pinned version in the skill manifest and update intentionally.

• 🔵 LOW LLM_DATA_EXFILTRATION — Many Referenced Files Are Missing from the Skill Package

  The skill references numerous files that are not present in the package (templates/concatenation.md, assets/data_structure.md, templates/manipulation.md, templates/data_structure.md, anndata.py, templates/io_operations.md, assets/manipulation.md, templates/best_practices.md, assets/best_practices.md, scanpy.py, scipy.py, assets/io_operations.md, muon.py, assets/concatenation.md). While this is not a direct security threat, missing files could cause the agent to seek alternative sources for instructions, potentially opening it to indirect prompt injection if it fetches content from external locations to fill the gap. File: SKILL.md Remediation: Ensure all referenced files are included in the skill package. Remove references to files that do not exist, or add clear fallback instructions that do not involve fetching external content.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Missing Version Pins for Several Referenced Packages

  The SKILL.md instructions pin anndata itself to version 0.12.16, which is good practice. However, the skill references and demonstrates use of several additional packages (scanpy, muon, scipy, sklearn, fsspec, h5py) without version pins in the installation instructions or code examples. This creates a supply chain risk where unpinned transitive dependencies could be compromised or introduce breaking changes. File: SKILL.md Remediation: Add pinned installation instructions for all key dependencies used in examples (e.g., scanpy, muon, scipy, h5py, fsspec, sklearn). Consider providing a requirements.txt or pyproject.toml with fully pinned versions for reproducibility.

• 🔵 LOW LLM_DATA_EXFILTRATION — Remote Zarr Access Without Strict URL Validation

  The io_operations.md reference file includes code examples for accessing remote Zarr stores via fsspec using arbitrary HTTPS and S3 URLs. While the file includes a note to 'prefer allowlisted HTTPS/S3/GCS paths or signed URLs', the example code does not enforce this restriction programmatically. A user or agent following these examples could be directed to fetch data from untrusted remote sources, potentially exposing the agent to indirect prompt injection via malicious Zarr stores or data exfiltration scenarios. File: references/io_operations.md Remediation: Add programmatic URL validation before opening remote stores, similar to the 'Download from a trusted URL' pattern shown later in the same file. Enforce an allowlist of trusted hostnames/buckets and reject arbitrary user-supplied URLs at the code level, not just in comments.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Metadata

  The skill does not specify the 'allowed-tools' field in its YAML manifest. While this field is optional per the agent skills spec, its absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) this skill may invoke. The skill executes Python scripts and Bash commands, so documenting allowed tools would improve transparency. File: SKILL.md Remediation: Add an explicit 'allowed-tools' field to the YAML frontmatter listing the tools actually used, e.g., allowed-tools: [Python, Bash, Read, Write].

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing Compatibility Metadata

  The skill does not specify the 'compatibility' field in its YAML manifest. This is a minor documentation gap that reduces transparency about which environments the skill is designed to operate in. File: SKILL.md Remediation: Add a 'compatibility' field to the YAML frontmatter indicating supported environments (e.g., Claude.ai, Claude Code, API).

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation

  The skill instructs installation of 'arboreto' and its dependencies (dask[complete], distributed, numpy, pandas, scikit-learn, scipy) without pinning specific versions. This creates a supply chain risk where a future compromised or malicious package version could be installed automatically. File: SKILL.md Remediation: Pin the package to a specific known-good version, e.g., 'uv pip install arboreto==0.1.6'. Consider using a requirements.txt or lock file with hashed dependencies for reproducible and secure installations.

• 🔵 LOW LLM_DATA_EXFILTRATION — Network Disclosure of Potentially Sensitive Identifiers

  The skill documents several functions that transmit user-supplied data to external third-party services: SkyCoord.from_name() sends object names to Sesame/SIMBAD/NED; EarthLocation.of_address() sends addresses to a geocoding service; download_file() discloses URLs to remote hosts; remote FITS reads via S3/HTTP disclose URIs and may use credentials. The skill does include appropriate warnings in Best Practices (item 11) and in the reference files, advising users to confirm before making network calls with sensitive data. This is a low-severity informational finding since the warnings are present, but the risk of inadvertent disclosure remains. File: SKILL.md Remediation: The skill already includes appropriate warnings. Consider adding a more prominent warning at the top of the SKILL.md overview section summarizing all network-disclosing operations in one place, so users are aware before diving into specific modules. The existing per-function warnings in reference files are good practice.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Transitive Dependencies Installed at Unpinned Versions via Optional Extras

  The skill recommends installing astropy with optional extras ([recommended] and [all]) which pull in transitive dependencies such as matplotlib and scipy at unpinned versions. While astropy itself is pinned to 7.2.0, the transitive dependency tree is not locked, creating a supply chain risk where a compromised or malicious version of a transitive dependency could be installed. The skill does acknowledge this risk and recommends using uv lock or uv pip compile for production environments. File: SKILL.md Remediation: The skill already advises using lockfiles for production. Consider providing an example lockfile workflow or a pinned requirements file for the most common dependency set. The warning is adequate for most use cases.

• 🔵 LOW LLM_DATA_EXFILTRATION — IERS Auto-Download May Leak Timing Information

  The skill documents that astropy may auto-download IERS Earth-rotation data for high-precision time and coordinate operations. This network call could reveal that a user is performing precision timing work and disclose the timing of observations. The reference/time.md file does document how to disable auto-download with iers.conf.auto_download = False for offline or privacy-sensitive runs, which is appropriate mitigation. File: references/time.md Remediation: The existing documentation is adequate. Consider adding a note in the main SKILL.md Best Practices section about IERS auto-download alongside the other network-access warnings (Best Practice #11) so users are aware of this additional network call.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned bioservices Package Installation

  The SKILL.md specifies 'bioservices==1.16.0' which is pinned, which is good. However, the installation command uses 'uv pip install' which is acceptable. The bioservices package itself pulls in transitive dependencies (requests, BeautifulSoup, etc.) that are not pinned, creating a potential supply chain risk if any transitive dependency is compromised. This is a minor concern given the pinned top-level package. File: SKILL.md Remediation: Consider generating a full requirements lockfile (e.g., uv lock or pip-compile) that pins all transitive dependencies to specific versions with hashes for maximum supply chain integrity.

• 🔵 LOW LLM_RESOURCE_ABUSE — Unbounded Pathway Analysis Loop with No Rate Limiting

  The pathway_analysis.py script iterates over all pathways for an organism (potentially 300+ for human 'hsa') and makes individual KEGG API calls for each pathway without enforced rate limiting between calls. The script does have an optional --limit flag, but the default is unlimited. This could result in excessive API calls, potential rate limiting by KEGG, and long-running processes consuming compute resources. File: scripts/pathway_analysis.py Remediation: Add a default rate-limiting delay between API calls (e.g., time.sleep(0.5)) in the analysis loop. Consider setting a more conservative default limit or requiring explicit user confirmation before processing large numbers of pathways.

• 🔵 LOW LLM_DATA_EXFILTRATION — Environment Variable Access with Network Calls (NCBI_EMAIL)

  The skill reads the NCBI_EMAIL environment variable and passes it to external NCBI BLAST API calls. While this is documented and expected behavior for NCBI BLAST authentication, the pattern of reading environment variables and transmitting them to external services warrants noting. The email is used as a contact identifier per NCBI policy, not as a credential, and the destination (NCBI BLAST API) is a well-known legitimate bioinformatics service. The static analyzer flagged this as a potential exfiltration chain, but in context it is legitimate and documented. File: scripts/protein_analysis_workflow.py:44 Remediation: This is expected behavior for NCBI BLAST. Ensure users are aware that their email address is transmitted to NCBI servers as required by NCBI policy. No remediation required beyond existing documentation.

• 🔵 LOW LLM_DATA_EXFILTRATION — Missing allowed-tools and compatibility Metadata

  The SKILL.md manifest does not specify 'allowed-tools' or 'compatibility' fields. The skill executes Python scripts, reads/writes files, and orchestrates external tool invocations (nextflow, STAR, Salmon, fastp, etc.). Without declared tool restrictions, the agent has no manifest-level constraint on what operations it can perform. This is informational per the spec (allowed-tools is optional), but combined with the pre-scan flags for environment variable access and cross-file exfiltration chains, the absence of declared restrictions is worth noting. File: SKILL.md Remediation: Add 'allowed-tools' to the manifest listing the tools actually needed (e.g., Bash, Python, Read, Write) and specify compatibility constraints. This improves auditability and allows the agent runtime to enforce restrictions.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Skill Description with Keyword Baiting

  The skill description contains an unusually large number of trigger phrases and keyword combinations designed to maximize activation: 'analyze my RNA-seq', 'FASTQ to DESeq2', 'run nf-core/rnaseq', 'STAR/Salmon quantification', 'build a counts matrix for DESeq2', 'go from reads to differentially expressed genes and enriched pathways'. While these are plausibly legitimate for a bioinformatics orchestrator skill, the density of quoted trigger phrases in the description is characteristic of keyword baiting to inflate activation frequency. File: SKILL.md Remediation: Reduce the number of explicit trigger phrases in the description to only those necessary to describe the skill's purpose. Rely on semantic matching rather than keyword enumeration.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Python Dependency Installation

  The setup instructions use 'uv pip install pytximport pandas' without version pins. While bioconda tool versions are pinned (star=2.7.11b, salmon=1.10.3), the Python dependencies used by the bridge script are not pinned. This creates a supply chain risk where a compromised or breaking version of pytximport or pandas could be installed. File: SKILL.md Remediation: Pin all Python dependencies to specific versions, e.g. 'uv pip install pytximport==0.x.x pandas==2.x.x'. Consider generating a requirements.txt or pyproject.toml with locked versions for reproducibility.

• 🔵 LOW LLM_DATA_EXFILTRATION — Environment Variable Access for API Credentials (Legitimate Pattern)

  The skill and its reference files access environment variables for API credentials (GOOGLE_CLOUD_PROJECT, IONQ_API_KEY, AZURE_QUANTUM_RESOURCE_ID, AZURE_QUANTUM_LOCATION, AQT_TOKEN, PASQAL_TOKEN). These are used to authenticate with quantum hardware providers. The pattern is consistent with the skill's stated purpose of running quantum circuits on real hardware. The static analyzer flagged these as potential exfiltration, but in context they are standard credential-passing patterns for cloud quantum services. No hardcoded secrets are present; all credentials are read from environment variables and passed directly to official provider SDKs. Remediation: This is expected behavior for a quantum hardware integration skill. No remediation required. Users should be aware that running hardware jobs requires valid API credentials in their environment. Ensure credentials are scoped to minimum necessary permissions for each provider.

• 🔵 LOW LLM_DATA_EXFILTRATION — Network Calls to External Quantum Provider APIs

  The skill's reference files demonstrate making network calls to external quantum provider endpoints (Google Quantum Engine, IonQ cloud, Azure Quantum, AQT gateway, Pasqal cloud). These calls are inherent to the skill's stated purpose of running quantum circuits on real hardware. The static analyzer flagged cross-file env var exfiltration chains, but the data flow is: read env var credential → pass to official provider SDK → SDK makes authenticated API call. No data is being exfiltrated to attacker-controlled endpoints; all destinations are official provider APIs. Remediation: This is expected behavior. Users should verify they are using official provider SDK packages and not compromised versions. Pin package versions for production use (e.g., cirq==1.6.1 as recommended in the skill).

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Some Referenced Files Not Found in Package

  Several files referenced in the skill instructions are not present in the package: azure.py, cirq_google.py, cirq_ionq.py, cirq.py, sympy.py, scipy.py, and various template/asset directories. While the core reference files (references/*.md, hardware.md, simulation.md, transformation.md) are present, the missing files could indicate an incomplete package or files that shadow standard Python module names (cirq.py, sympy.py, scipy.py). If files named cirq.py, sympy.py, or scipy.py were present, they could shadow the legitimate cirq, sympy, and scipy packages, potentially causing unexpected behavior. File: SKILL.md Remediation: Verify the package is complete and all referenced files are present. If cirq.py, sympy.py, or scipy.py are intended to be present, ensure they do not shadow the legitimate Python packages of the same name. Rename any local helper files to avoid namespace collisions with standard packages.

• 🔵 LOW LLM_UNAUTHORIZED_TOOL_USE — Missing compatibility Field in Manifest

  The YAML manifest does not specify a compatibility field. This is a minor informational issue as the skill makes network calls to external quantum hardware providers, which may not be compatible with all agent environments (e.g., air-gapped systems, restricted network environments). File: SKILL.md Remediation: Add a compatibility field noting that network access is required for hardware execution (e.g., 'Requires network access for hardware providers: Google Quantum AI, IonQ, Azure Quantum, AQT, Pasqal').

• 🔵 LOW LLM_DATA_EXFILTRATION — Remote Model Fetching via Network (BiGG/BioModels)

  The skill explicitly documents and encourages fetching models from remote sources (BiGG, BioModels) via load_model(). While this is a legitimate feature of COBRApy, it introduces a network dependency and potential for fetching untrusted model content. The compatibility note acknowledges 'network required for remote models'. This is low severity as it is a documented, intentional feature of the library rather than a covert exfiltration mechanism. File: SKILL.md Remediation: Inform users when remote model fetching is occurring. Consider validating model sources and checksums when loading from remote repositories. Prefer bundled models for sensitive environments.

• 🔵 LOW LLM_DATA_EXFILTRATION — Unvalidated Output Directory (OUTDIR) Used in Workflow File Writes

  The workflows.md reference file uses a hardcoded OUTDIR variable for writing CSV and PNG files. While the file includes a note to confirm OUTDIR with the user, the pattern of writing multiple files (single_gene_deletions.csv, double_gene_deletions.csv, flux_samples.csv, model_validation_report.csv, etc.) to a user-controlled path without explicit per-operation confirmation could be abused if OUTDIR is set to a sensitive location. The static analyzer flagged cross-file exfiltration chain patterns, likely referring to the read→write data flows in these workflows. File: references/workflows.md Remediation: Enforce explicit user confirmation of OUTDIR before any file write operations. Consider restricting OUTDIR to a sandboxed subdirectory and validating the path does not traverse outside the working directory.

• 🔵 LOW LLM_RESOURCE_ABUSE — Computationally Expensive Operations Without Adequate Guardrails

  Several workflows invoke computationally intensive operations such as double_gene_deletion with multiprocessing, loopless FVA, and large flux sampling runs (n=1000, processes=4). While the reference files include warnings about performance on genome-scale models, the SKILL.md instructions and workflow templates could lead an agent to execute these on large models without user confirmation, potentially exhausting CPU/memory resources for extended periods. File: references/workflows.md Remediation: Add explicit confirmation steps before launching computationally expensive operations. Enforce lower default values for n and processes, and require user approval before scaling up on genome-scale models.

• 🔵 LOW LLM_DATA_EXFILTRATION — Cloud Credential Environment Variable Exposure Mention

  The SKILL.md instructions explicitly mention cloud credential environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_DEFAULT_REGION, GOOGLE_APPLICATION_CREDENTIALS) in the context of remote file I/O. While the text states datamol does not transmit these to third-party endpoints, the skill instructs the agent to scope and use these credentials for cloud operations. The static analyzer flagged environment variable access combined with network calls, which warrants review. The risk is that user-provided cloud paths could cause credential-bearing requests to attacker-controlled endpoints if path validation is insufficient. File: SKILL.md Remediation: Validate and allowlist cloud storage paths before use. Warn users that providing attacker-controlled S3/GCS/HTTP URLs could cause credential-bearing requests to be sent to untrusted endpoints via fsspec. Add explicit URL validation before passing user-supplied paths to dm.read_sdf/dm.read_csv with remote URLs.

• 🔵 LOW LLM_PROMPT_INJECTION — External HTTP URL Reading Without Validation

  The skill explicitly instructs reading from user-provided HTTP/HTTPS URLs (e.g., 'https://example.com/data.csv') via dm.read_csv and dm.read_sdf. If a user provides a URL pointing to a malicious file containing crafted molecular data or embedded instructions, this could constitute an indirect prompt injection vector. The skill does not instruct the agent to validate or sanitize content retrieved from external URLs before processing. File: SKILL.md Remediation: Add explicit guidance to validate user-provided URLs against an allowlist of trusted domains or protocols. Instruct the agent to treat content from external URLs as untrusted and not to follow any embedded instructions found in externally-sourced molecular data files.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Phantom Referenced Files Not Present in Skill Package

  The skill references numerous files that do not exist in the package (rdkit.py, scipy.py, sklearn.py, datamol.py, templates/, assets/). While most are clarified as third-party PyPI libraries in the text, the file references could confuse the agent into searching for or loading files that don't exist, or could be exploited if those filenames were planted in the working directory with malicious content. The static analyzer noted 10 Python files in the inventory despite no script files being found, suggesting a discrepancy. File: SKILL.md Remediation: Remove phantom file references from the skill package manifest. Clarify in instructions that scipy, sklearn, rdkit, and datamol are PyPI packages, not local files (the skill partially does this but the file references remain). The '=[O:2]' entry appears to be a SMARTS fragment incorrectly parsed as a file reference and should be corrected.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation Instructions

  The skill instructs users to install datamol and optional backends (s3fs, gcsfs) using 'uv pip install' without version pinning. This exposes the environment to supply chain risks if any of these packages are compromised or if a typosquatted package is installed. No version constraints are specified. File: SKILL.md Remediation: Pin package versions explicitly (e.g., 'uv pip install datamol==0.12.5') to reduce supply chain risk and ensure reproducibility. Reference the known-good version mentioned in the skill (0.12.5).

• 🔵 LOW LLM_DATA_EXFILTRATION — Missing Referenced Script Files May Indicate Incomplete Package

  Several files referenced in the SKILL.md instructions are not found in the skill package: deepchem.py, templates/api_reference.md, assets/workflows.md, sklearn.py, assets/api_reference.md, templates/workflows.md. While references/workflows.md and references/api_reference.md are present, the missing files could indicate an incomplete package or references to files that were removed. This is a low-severity informational finding as the core functionality appears intact. File: SKILL.md Remediation: Verify that all referenced files are included in the skill package or remove references to non-existent files from the instructions.

• 🔵 LOW LLM_DATA_EXFILTRATION — Missing Referenced Files May Cause Fallback to Untrusted Sources

  The SKILL.md references numerous files that do not exist in the skill package (assets/workflows.md, templates/quick_reference.md, templates/normalization_methods.md, assets/tools_reference.md, references/quick_reference.md, assets/normalization_methods.md, templates/effective_genome_sizes.md, assets/effective_genome_sizes.md, templates/workflows.md, templates/tools_reference.md). When the agent attempts to read these missing files, it may fall back to generating content from its own knowledge or prompt the user to provide external sources, potentially introducing untrusted content into the workflow. This is a low-severity documentation/packaging issue. File: SKILL.md Remediation: Ensure all referenced files are included in the skill package. Audit SKILL.md references against actual file inventory and either add missing files or remove references to them.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Skill Activation Triggers

  The SKILL.md 'When to Use This Skill' section lists very broad trigger phrases such as 'analyze ChIP-seq data', 'RNA-seq coverage', 'ATAC-seq analysis', and 'complete workflow'. While these are reasonable for a legitimate NGS toolkit, the breadth of triggers could cause the skill to activate for a wide range of genomics-related queries that might be better handled by other tools. This is a minor concern for a domain-specific skill. File: SKILL.md Remediation: Consider narrowing activation triggers to be more specific to deepTools operations rather than general NGS analysis terms. This reduces unintended skill activation.

• 🔵 LOW LLM_DATA_EXFILTRATION — Environment Variable Access Combined with Network Calls (Static Analyzer Flag)

  The static analyzer flagged potential environment variable exfiltration combined with network calls. Upon review, the skill's use of os.environ['ESM_API_KEY'] is the standard and documented pattern for authenticating with the Forge/Biohub API. The network calls are to trusted, explicitly named endpoints (forge.evolutionaryscale.ai, biohub.ai). The skill explicitly warns against hardcoding tokens and instructs users to keep endpoint URLs fixed to trusted hosts. No evidence of actual exfiltration to attacker-controlled infrastructure was found in the reviewed files. The static analyzer finding appears to be a false positive in this context, but is noted for completeness. Remediation: No remediation required for the documented pattern. Ensure that in practice, the ESM_API_KEY environment variable is only ever sent to the documented trusted endpoints (forge.evolutionaryscale.ai, biohub.ai) and never to user-supplied or dynamic URLs.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools and Compatibility Metadata

  The skill manifest does not specify 'allowed-tools' or 'compatibility' fields. While these are optional per the agent skills spec, their absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) the skill may invoke. The skill's instructions and reference files include Python code that writes files (e.g., novel_gfp.pdb, variant_library.fasta, optimized_sequences.fasta, cluster_assignments.txt, protein_clusters.png), makes network calls, and executes GPU operations. Declaring allowed-tools would improve transparency about the skill's actual capabilities. File: SKILL.md Remediation: Add 'allowed-tools: [Python, Bash, Read, Write]' and a compatibility note to the YAML frontmatter to accurately reflect the skill's actual tool usage and help users understand the scope of operations the skill may perform.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — GitHub-Based Package Install with Partial SHA Guidance

  The biohub-platform.md reference file documents an installation pattern using a git+https GitHub URL with a placeholder for a commit SHA ('uv pip install esm@git+https://github.com/Biohub/esm.git@'). While the documentation correctly warns against floating branch installs and instructs users to pin a full 40-character commit SHA and review the release before installing, the placeholder pattern could lead users to install from an unverified or attacker-controlled commit if they do not follow the guidance carefully. The PyPI-pinned install ('esm==3.2.3') is the primary recommended path. File: references/biohub-platform.md Remediation: Emphasize in documentation that the GitHub install path should only be used when strictly necessary, and that users must verify the commit SHA against official Biohub release announcements before installing. Consider removing the placeholder pattern and replacing it with a concrete verified SHA or directing users exclusively to the PyPI release.

• 🔵 LOW LLM_RESOURCE_ABUSE — Automatic Large Database Download Without User Confirmation

  The skill automatically downloads the NCBI taxonomy database (~300MB) on first instantiation of NCBITaxa without explicit user confirmation. This could cause unexpected resource consumption (disk space, bandwidth) and could be triggered silently during automated workflows. File: SKILL.md Remediation: Warn the user before initiating the download and require explicit confirmation before downloading large external databases. Document the download size prominently and provide an option to skip or specify a custom path.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation

  The SKILL.md instructions recommend installing ete3 using 'uv pip install ete3' without pinning a specific version. This means the installed package version is not deterministic and could be compromised via a supply chain attack if the package is updated with malicious code. The error messages in scripts also suggest 'pip install ete3' without version pinning. File: SKILL.md Remediation: Pin the package to a specific known-good version, e.g., 'uv pip install ete3==3.1.3'. Consider also verifying package integrity via hash checking.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Skill Description with Excessive Trigger Keywords

  The skill description is unusually long and contains an extensive list of trigger phrases designed to maximize activation across a wide range of statistical and experimental design queries. While the skill's functionality appears legitimate, the description includes many informal phrasings ('how should I set up this experiment', 'assign these mice to conditions') that could cause the skill to activate in contexts where it may not be the most appropriate tool. This pattern resembles keyword baiting to inflate activation frequency. File: SKILL.md Remediation: Trim the description to a concise summary of the skill's core purpose. Avoid exhaustive keyword lists and informal trigger phrases that inflate activation scope beyond the skill's intended use.

• 🔵 LOW LLM_UNAUTHORIZED_TOOL_USE — Missing Referenced Files May Cause Unexpected Behavior

  Several files referenced in the SKILL.md instructions do not exist in the skill package (assets/sequential_and_adaptive.md, assets/factorial_and_doe.md, templates/design_types.md, templates/factorial_and_doe.md, templates/randomization_and_blocking.md, templates/sequential_and_adaptive.md, assets/design_types.md, assets/randomization_and_blocking.md, randomization.py, doe_designs.py at root). When the agent attempts to read these files, it will encounter errors or silently fail, potentially causing the agent to seek alternative sources or behave unpredictably. This is a tool reliability issue rather than a direct security threat. File: SKILL.md Remediation: Ensure all referenced files exist in the skill package, or remove references to non-existent files from the instructions. Audit the file paths to confirm they match the actual directory structure.

• 🔵 LOW LLM_DATA_EXFILTRATION — Use of numpy.random.seed() (Global RNG State) in doe_designs.py

  The latin_hypercube function in doe_designs.py uses np.random.seed(rng_state) which sets the global NumPy random state rather than using a local Generator object. While this is a code quality issue rather than a direct security threat, it could interfere with other code's random state in the same process and is inconsistent with the rest of the codebase which correctly uses np.random.default_rng(seed). This is a minor concern but worth noting for reproducibility and isolation. File: scripts/doe_designs.py:88 Remediation: Use a local Generator (np.random.default_rng(seed)) consistently. If pyDOE3's lhs requires the global seed, document this limitation clearly and consider wrapping the call to restore the prior global state afterward.

• 🔵 LOW LLM_DATA_EXFILTRATION — Missing allowed-tools Declaration

  The skill manifest does not declare an 'allowed-tools' field, meaning there are no explicit restrictions on which agent tools this skill can use. While this is an optional field, its absence means the agent has no declared constraints on tool usage when executing this skill's instructions. File: SKILL.md Remediation: Add an explicit 'allowed-tools' declaration to the SKILL.md manifest to document and restrict which tools the skill requires. For a documentation/reference skill like this, appropriate tools might be limited to Read and Python.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Skill Description May Cause Excessive Activation

  The skill description is extremely broad, listing a large number of trigger scenarios including 'any task involving reading/writing/analyzing vector geographic data', PostGIS databases, interactive maps, multiple visualization libraries, and many operation types. This over-broad description may cause the skill to be activated for a wider range of tasks than necessary, potentially leading to unnecessary dependency installation or resource usage. File: SKILL.md Remediation: Narrow the skill description to focus on the core use cases. Avoid listing every possible trigger scenario in the description field, as this can lead to over-activation of the skill.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Dependencies in Installation Instructions

  The SKILL.md installation instructions use 'uv pip install' without version pinning for all dependencies (geopandas, folium, mapclassify, pyarrow, psycopg2, geoalchemy2, contextily, cartopy). Unpinned dependencies are vulnerable to supply chain attacks where a malicious version of a package could be published and automatically installed. File: SKILL.md Remediation: Pin all dependencies to specific versions (e.g., 'uv pip install geopandas==1.0.1'). Consider providing a requirements.txt or pyproject.toml with pinned versions and hash verification for supply chain security.

• 🔵 LOW LLM_DATA_EXFILTRATION — Database Credentials Exposed in Code Examples

  The data-io.md reference file contains example code showing database connection strings with placeholder credentials in plaintext. While these are documentation examples, they demonstrate a pattern that could lead users to hardcode real credentials in their code. The connection string format 'postgresql://user:password@host:port/database' is shown without any warning about credential management best practices. File: references/data-io.md Remediation: Add explicit warnings in the documentation that credentials should never be hardcoded. Recommend using environment variables (os.environ), .env files with python-dotenv, or secrets managers. Show an example using environment variables instead of plaintext credentials.

• 🔵 LOW LLM_PROMPT_INJECTION — External URL Data Loading Without Validation Warning

  The data-io.md reference file documents reading spatial data directly from external URLs (HTTP/HTTPS, S3, Azure Blob) without any security warnings about validating or trusting external data sources. This could lead users to load untrusted geospatial data from arbitrary URLs, which could contain malicious geometries or unexpected content. File: references/data-io.md Remediation: Add security notes warning users to validate the source and integrity of external data before loading. Recommend verifying checksums or signatures for data from untrusted sources, and note that loading from arbitrary URLs could expose the system to malicious data.

• 🔵 LOW LLM_DATA_EXFILTRATION — Referenced Files Not Found (joblib.py, torch.py, dask.py)

  The SKILL.md instructions reference three files (joblib.py, torch.py, dask.py) that are not present in the skill package. These appear to be code examples in the markdown body rather than actual bundled files, but their absence as referenced files could indicate incomplete packaging. If these were intended as actual scripts, their absence means the skill is incomplete; if they are just example snippets, the references are misleading. File: SKILL.md Remediation: Clarify whether these are example code snippets (in which case remove them from the referenced files list) or actual bundled scripts (in which case include them in the package). This is a documentation/packaging issue rather than a security threat.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Manifest Declaration

  The SKILL.md manifest does not declare an allowed-tools field. The skill executes Python scripts and runs bash subprocesses (nvidia-smi, rocm-smi, sysctl, system_profiler), so declaring the required tools would improve transparency and allow the agent runtime to enforce appropriate restrictions. File: SKILL.md Remediation: Add allowed-tools: [Python, Bash] to the YAML frontmatter to explicitly declare the tools this skill requires, improving transparency and enabling runtime enforcement.

• 🔵 LOW LLM_COMMAND_INJECTION — Subprocess Calls to External System Utilities Without Input Sanitization

  The script invokes external system utilities (nvidia-smi, rocm-smi, sysctl, system_profiler) via subprocess. While the commands themselves are hardcoded and do not incorporate user-supplied input, the output of these commands is parsed and incorporated into the JSON output. If a malicious GPU driver or system utility were to return crafted output, it could potentially influence the recommendations written to the JSON file, which the agent then reads and acts upon. The risk is low given the hardcoded command arguments. File: scripts/detect_resources.py:90 Remediation: The current implementation is reasonably safe as command arguments are hardcoded. Consider adding output length limits and stricter parsing validation when processing subprocess output to prevent unexpectedly large or malformed outputs from causing issues.

• 🔵 LOW LLM_DATA_EXFILTRATION — System Information Collection and Local File Write

  The script collects detailed system information including CPU architecture, processor model, memory usage, disk usage, GPU details (including driver versions and compute capabilities), and OS version. This information is written to a local .claude_resources.json file in the current working directory. While this is the stated purpose of the skill and the data stays local, the breadth of system fingerprinting (hardware identifiers, driver versions, architecture) could be sensitive in certain environments. No exfiltration to external servers is observed. File: scripts/detect_resources.py:180 Remediation: This is low risk as data stays local. Consider documenting clearly that the output file may contain sensitive system fingerprinting data and should not be committed to version control or shared externally. Add a note in SKILL.md about treating .claude_resources.json as potentially sensitive.

• 🔵 LOW LLM_DATA_EXFILTRATION — COSMIC Credentials Exposure Risk via CLI Arguments

  The SKILL.md instructions document that COSMIC credentials (email/password) can be passed as CLI arguments to gget cosmic --download_cosmic. While the skill does warn against this practice and recommends environment variables or interactive prompts, the documented CLI pattern (--email, --password) exposes credentials in shell history, process listings, and system logs on shared systems. The skill's own guidance acknowledges this risk but still documents the insecure pattern. File: SKILL.md Remediation: Remove documentation of the --email/--password CLI flags entirely, or add a stronger warning that these flags should never be used. Only document the environment variable approach (os.environ['COSMIC_EMAIL']) and interactive prompt methods.

• 🔵 LOW LLM_DATA_EXFILTRATION — OpenAI API Key Handling Documentation Risk

  The gget gpt module documentation notes that gget gpt expects the API key as a CLI argument, which can expose it in process listings and shell history. While the skill warns against this and recommends environment variables, the CLI pattern is still documented and may be followed by users on shared systems. File: SKILL.md Remediation: Explicitly document only the environment variable approach for API key handling. Consider removing the CLI key-passing pattern from documentation entirely and only showing the Python os.environ approach.

• 🔵 LOW LLM_DATA_EXFILTRATION — Referenced File gget.py Not Found in Package

  The SKILL.md references a file gget.py in its instructions, but this file was not found in the skill package. This missing file could indicate incomplete packaging or a documentation error. If the agent attempts to read or execute this file, it may fail or behave unexpectedly. File: SKILL.md Remediation: Either include the referenced gget.py file in the skill package, or remove the reference from SKILL.md instructions. Verify that all referenced files are bundled with the skill.

• 🔵 LOW LLM_RESOURCE_ABUSE — Unbounded Viral Download Warning - Resource Exhaustion Risk

  The gget virus module documentation warns that --download_all_accessions without restrictive filters can attempt to download the entire Viruses taxonomy, consuming substantial time, bandwidth, and disk space. While the skill documents this warning, an agent following user instructions could still trigger this pattern if a user requests broad viral data downloads without understanding the scope. File: SKILL.md Remediation: Add explicit guardrails in the skill instructions directing the agent to always confirm with the user before executing --download_all_accessions, and to require at least one restrictive filter (host, nuc_completeness, sequence length range) before proceeding.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Missing Version Pin for gget Setup Dependencies

  The gget setup command installs third-party dependencies (alphafold, cellxgene, elm, gpt modules) without version pinning for those sub-dependencies. While gget itself is pinned to 0.30.5, the downstream packages installed by gget setup alphafold (~4GB model parameters) and gget setup cellxgene are not version-pinned, creating supply chain risk from unpinned transitive dependencies. File: SKILL.md Remediation: Document the specific versions of sub-dependencies installed by each setup command, or advise users to review the gget release notes to understand what versions are being installed. Consider pinning sub-dependency versions where possible.

• 🔵 LOW LLM_COMMAND_INJECTION — Static Analyzer Flagged Python eval/exec in Markdown Code Blocks

  The pre-scan static analyzer reported two instances of Python code blocks containing eval/exec patterns within the markdown files. Upon review of the provided content, no such patterns are visible in the supplied text. This may be a false positive from the static analyzer triggered by content in unretrieved or missing files (templates/, assets/). The finding is noted at LOW severity pending confirmation of the actual code block content. File: SKILL.md Remediation: Audit all markdown files in the skill package, particularly the missing templates/ and assets/ files, for any Python code blocks containing eval() or exec() calls. If found, remove or replace with safer alternatives. Confirm whether the static analyzer finding is a false positive once all files are available for review.

• 🔵 LOW LLM_DATA_EXFILTRATION — Missing License and Compatibility Metadata

  The skill manifest does not specify a license or compatibility field. While these are optional fields, their absence reduces transparency about the skill's intended usage scope and legal terms. This is an informational finding with minimal security impact. File: SKILL.md Remediation: Add a license field (e.g., 'license: MIT') and a compatibility field to the YAML frontmatter to improve transparency and discoverability.

• 🔵 LOW LLM_DATA_EXFILTRATION — Several Referenced Files Not Found in Package

  Multiple files referenced in the SKILL.md instructions are listed as 'not found': templates/fluorescent-pixel-art-generation.md, templates/cell-free-protein-expression-validation.md, templates/cell-free-protein-expression-optimization.md, assets/fluorescent-pixel-art-generation.md, assets/cell-free-protein-expression-optimization.md, and assets/cell-free-protein-expression-validation.md. Missing referenced files could cause the agent to attempt to locate them from unexpected sources or fail silently, though no active exfiltration risk is present here. File: SKILL.md Remediation: Ensure all referenced files are included in the skill package, or remove references to files that do not exist. Audit the package to confirm completeness before distribution.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Declaration

  The skill manifest does not declare an 'allowed-tools' field. While this field is optional per the agent skills spec, its absence means there are no declared restrictions on which agent tools this skill may invoke. Given the skill references multiple internal files and could interact with external URLs, declaring tool restrictions would improve the security posture. File: SKILL.md Remediation: Add an explicit 'allowed-tools' declaration to the YAML frontmatter to limit the skill to only the tools it actually needs (e.g., [Read] if it only reads internal reference files).

• 🔵 LOW LLM_DATA_EXFILTRATION — Missing License Information

  The skill manifest specifies 'Unknown' for the license field. This is a minor metadata concern but does not represent a direct security threat. Users cannot verify the provenance or legal standing of the skill. File: SKILL.md Remediation: Specify a valid open-source license (e.g., MIT, Apache-2.0) in the YAML frontmatter to ensure proper provenance tracking.

• 🔵 LOW LLM_DATA_EXFILTRATION — Multiple Referenced Files Not Found in Skill Package

  The skill references numerous files (gtars.py, assets/refget.md, assets/tokenizers.md, templates/refget.md, templates/cli.md, assets/coverage.md, assets/cli.md, templates/python-api.md, templates/coverage.md, assets/python-api.md, templates/tokenizers.md, templates/overlap.md, assets/overlap.md) that are not present in the skill package. While this is primarily a completeness issue, missing files could indicate an incomplete or tampered package, and the agent may attempt to locate these files from unexpected sources. File: SKILL.md Remediation: Ensure all referenced files are bundled within the skill package. Remove references to files that do not exist, or add the missing files to the package.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing Compatibility and Allowed-Tools Metadata

  The skill does not specify 'compatibility' or 'allowed-tools' fields in the YAML manifest. While these are optional per the spec, their absence means there are no declared restrictions on tool usage, making it harder to audit the skill's intended scope. The skill instructs use of Bash (cargo install, gtars CLI) and Python execution without declaring these in allowed-tools. File: SKILL.md Remediation: Add 'allowed-tools: [Python, Bash]' and a 'compatibility' field to the YAML frontmatter to clearly declare the skill's intended tool usage and environment compatibility.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation Without Version Constraints

  The skill instructs installation of 'gtars' via 'uv pip install gtars' and 'cargo install gtars-cli' without specifying version pins. This creates a supply chain risk where a compromised or malicious version of the package could be installed. The Cargo install also uses feature flags but no version constraint. File: SKILL.md Remediation: Pin specific versions: 'uv pip install gtars==' and 'cargo install gtars-cli --version --features ...' to prevent supply chain attacks via version substitution.

• 🔵 LOW LLM_COMMAND_INJECTION — Use of eval/exec in Python Code Blocks

  The static analyzer flagged a Python code block using eval or exec. In the context of this skill, the extract_label() function examples use regex and string parsing, but the broader framework accepts user-provided config files and custom label extraction functions (lambdas and arbitrary Python callables). If user-supplied config or code is passed to eval/exec without sanitization, this could enable arbitrary code execution. The risk is moderate given the local execution context. File: SKILL.md Remediation: Avoid using eval/exec with user-controlled input. Validate and sanitize all user-provided configuration values and label extraction functions. Consider restricting the extract_label parameter to a predefined set of functions rather than accepting arbitrary callables.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation via uv pip install

  The skill instructs users to install the 'hypogenic' package using 'uv pip install hypogenic' without specifying a pinned version. This means any future malicious or compromised version of the package on PyPI could be installed automatically, creating a supply chain risk. Additionally, the skill clones external GitHub repositories (ChicagoHAI/HypoGeniC-datasets, ChicagoHAI/Hypothesis-agent-datasets) without specifying commit hashes or tags, which could expose users to repository tampering. File: SKILL.md Remediation: Pin the package to a specific version (e.g., 'uv pip install hypogenic==1.0.0') and reference specific git tags or commit hashes when cloning repositories (e.g., 'git clone --branch v1.0 ...' or 'git checkout ').

• 🔵 LOW LLM_DATA_EXFILTRATION — API Key Stored in Environment Variable Referenced in Config

  The configuration template references an environment variable 'OPENAI_API_KEY' for API authentication. While using environment variables is better than hardcoding secrets, the config file itself documents this pattern and the hypogenic package will read and use this credential. If the config file or logs are inadvertently shared, the environment variable name is exposed. The broader risk is that the framework sends data (including potentially sensitive dataset content) to external LLM APIs (OpenAI, Anthropic). File: references/config_template.yaml Remediation: Ensure users are clearly informed that their dataset content will be transmitted to external LLM API providers. Document data privacy implications. Encourage use of local LLM options for sensitive datasets.

• 🔵 LOW LLM_RESOURCE_ABUSE — Unbounded Iteration and Large-Scale API Calls Risk

  The skill's framework supports iterative hypothesis refinement with configurable max_iterations and parallel processing. With large datasets and many hypotheses, this could result in significant compute and API cost exhaustion. The config template shows max_iterations: 10 and num_hypotheses: 20 with batch processing, which could generate hundreds of LLM API calls in a single run without explicit user confirmation between iterations. File: references/config_template.yaml Remediation: Add explicit user confirmation prompts before starting large-scale iterative generation runs. Display estimated API call counts and costs before execution. Implement hard limits on maximum iterations and API calls per session.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Skill Activation Description

  The skill description includes an extensive list of trigger keywords and scenarios (ISO 13485, QMS documentation, FDA QMSR, EU MDR, medical device regulations, QMS certification, gap analysis, Quality Manuals, procedures, work instructions, Medical Device Files) that could cause the skill to activate in a wide range of contexts. While this is a legitimate documentation assistance tool, the description is unusually broad and could lead to unintended activation across many regulatory and quality-related conversations. File: SKILL.md Remediation: Narrow the activation criteria to more specific, unambiguous triggers directly related to ISO 13485 certification documentation tasks rather than broad regulatory topic mentions.

• 🔵 LOW LLM_DATA_EXFILTRATION — User-Provided File Path Passed Directly to File System Operations

  The gap_analyzer.py script accepts a user-supplied --docs-dir argument and passes it directly to Path() and rglob() without sanitization or path traversal validation. A malicious or careless user could supply a path like '/' or '~/' causing the script to scan the entire filesystem or sensitive directories, potentially exposing sensitive files in the analysis output. File: scripts/gap_analyzer.py:85 Remediation: Validate and sanitize the --docs-dir argument. Resolve the path and verify it is within an expected base directory. Warn users if the path points to sensitive system directories. Consider restricting to relative paths or paths within the current working directory.

• 🔵 LOW LLM_RESOURCE_ABUSE — Unbounded Recursive File System Traversal

  The gap_analyzer.py script uses rglob() to recursively scan all files with supported extensions under the user-provided directory. If a user provides a very large directory (e.g., a root filesystem or home directory), this could consume significant memory and CPU resources as it reads and stores all matching file contents in memory simultaneously. File: scripts/gap_analyzer.py:100 Remediation: Implement limits on the number of files processed, maximum file size, and maximum directory depth. Add a warning or confirmation prompt if the directory contains more than a threshold number of files. Consider streaming content rather than loading all files into memory simultaneously.

• 🔵 LOW LLM_PROMPT_INJECTION — Untrusted File Content Processed Without Sanitization

  The gap_analyzer.py script reads and processes the content of user-provided documents to search for keywords. If a malicious document contains crafted content designed to manipulate the keyword matching logic or produce misleading gap analysis results, it could cause the tool to report false compliance or false gaps. While the current keyword matching is simple, the content is also surfaced back to the agent and user in reports, creating a potential indirect injection vector if the agent interprets file content as instructions. File: scripts/gap_analyzer.py:107 Remediation: Treat all file content as untrusted data. Do not pass raw file content back to the LLM agent for interpretation. Limit content processing to keyword matching only. Consider adding a note in the skill instructions that file content should not be interpreted as instructions.

• 🔵 LOW LLM_DATA_EXFILTRATION — Static Analyzer Flagged Potential Environment Variable Access with Network Calls

  The static pre-scan flagged BEHAVIOR_ENV_VAR_EXFILTRATION and BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN patterns. Reviewing the actual reference files, the environment variable access (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, LAMIN_DB_URL, GOOGLE_APPLICATION_CREDENTIALS) is used in legitimate LaminDB configuration examples, and the network calls are to documented LaminDB/cloud APIs. The skill's 'Safety and Security Defaults' section explicitly instructs the agent NOT to display or transmit credentials and to prefer IAM roles. No actual exfiltration code was found. This is flagged as LOW for awareness given the static analyzer signals. Remediation: The skill already includes appropriate security guidance. Continue ensuring all credential examples use placeholder values (as currently done with '' and '') and that no actual secret values appear in documentation or code examples.

• 🔵 LOW LLM_DATA_EXFILTRATION — Missing allowed-tools Declaration

  The skill does not declare an 'allowed-tools' field in its YAML manifest. While this is optional per the agent skills spec, the skill instructs the agent to execute Python code, run bash commands, make network requests, and access cloud storage credentials. Declaring allowed tools would improve transparency about the skill's intended capabilities. File: SKILL.md Remediation: Add an explicit 'allowed-tools' field to the YAML frontmatter listing the tools the skill requires, e.g., allowed-tools: [Python, Bash, Read, Write].

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Several Referenced Files Not Found in Skill Package

  Multiple files referenced in the SKILL.md instructions are not present in the skill package: templates/data-management.md, assets/ontologies.md, assets/setup-deployment.md, bionty.py, assets/data-management.md, lamindb.py, templates/ontologies.md, anndata.py, assets/core-concepts.md, templates/integrations.md, assets/integrations.md, assets/annotation-validation.md, templates/setup-deployment.md, templates/core-concepts.md, wandb.py, joblib.py. Missing files could indicate an incomplete package or that the agent may attempt to resolve these from external or unexpected sources. File: SKILL.md Remediation: Ensure all referenced files are bundled within the skill package. Remove references to files that do not exist, or document clearly that they are optional external dependencies.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Metadata

  The skill does not declare an 'allowed-tools' field in its YAML manifest. While this field is optional per the agent skills spec, its absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) can be invoked. Given the skill instructs the agent to execute Python code for mass spectrometry analysis, declaring allowed tools would improve transparency and reduce the attack surface. File: SKILL.md Remediation: Add an explicit 'allowed-tools' field to the YAML frontmatter, e.g., 'allowed-tools: [Python, Read, Write]', to document and restrict the tools this skill is permitted to use.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing Compatibility Metadata

  The skill does not declare a 'compatibility' field in its YAML manifest. This is a minor documentation gap that reduces transparency about where the skill is intended to operate (e.g., Claude.ai, Claude Code, API). File: SKILL.md Remediation: Add a 'compatibility' field to the YAML frontmatter to document the intended execution environments.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-broad Capability Description in Manifest

  The skill description is quite broad, claiming capabilities across matrix operations, data analysis, visualization, signal processing, image processing, differential equations, optimization, statistics, Python integration, and script execution. While the skill does appear to legitimately cover these areas through its reference files, the breadth of the description could lead to over-activation of the skill in contexts where a more targeted tool would be appropriate. File: SKILL.md Remediation: Consider narrowing the description to the primary use cases, or splitting into more focused sub-skills if the breadth causes unwanted activation.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Multiple Referenced Files Not Found in Package

  Several files referenced in the SKILL.md instructions are not present in the skill package (assets/python-integration.md, templates/data-import-export.md, assets/programming.md, assets/mathematics.md, assets/executing-scripts.md, templates/mathematics.md, templates/graphics-visualization.md, templates/python-integration.md, assets/data-import-export.md, templates/matrices-arrays.md, assets/graphics-visualization.md, templates/programming.md, templates/octave-compatibility.md, assets/matrices-arrays.md, assets/octave-compatibility.md, templates/executing-scripts.md). Missing files could indicate an incomplete package or files that were removed, potentially leaving the skill in an inconsistent state. File: SKILL.md Remediation: Ensure all referenced files are included in the skill package, or remove references to files that are not part of the package. Audit the package for completeness before distribution.

• 🔵 LOW LLM_UNAUTHORIZED_TOOL_USE — Missing allowed-tools Declaration

  The skill manifest does not specify an allowed-tools field. While this is optional per the agent skills specification, the skill instructs the agent to execute MATLAB/Octave scripts via Bash commands, read and write files, and perform various system operations. Declaring the required tools would improve security posture by making the skill's tool requirements explicit and auditable. File: SKILL.md Remediation: Add an explicit allowed-tools declaration to the YAML frontmatter, such as: allowed-tools: [Bash, Read, Write] to make the skill's tool requirements transparent and enforceable.

• 🔵 LOW LLM_DATA_EXFILTRATION — Python Integration Reference Demonstrates HTTP Requests with External APIs

  The references/python-integration.md file contains example code demonstrating how to use Python's requests library from within MATLAB to make HTTP requests to external APIs. While presented as documentation/examples, these patterns (reading data and posting to external endpoints) could be misused if a user is guided to implement them with sensitive data. The example explicitly shows making GET requests and processing JSON responses from external URLs. File: references/python-integration.md Remediation: Add explicit warnings in the documentation that HTTP request examples should only be used with trusted, authorized endpoints, and that users should be cautious about sending sensitive data to external services.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-broad Skill Description with Competitor Routing Directives

  The skill description contains explicit routing directives telling the agent when NOT to use this skill and to use competitor skills instead ('For quick statistical plots use seaborn; for interactive plots use plotly; for publication-ready multi-panel figures with journal styling, use scientific-visualization'). While this appears benign and helpful, it embeds activation/routing logic in the discovery metadata that influences agent skill selection behavior beyond what is needed for a matplotlib skill. File: SKILL.md Remediation: Keep the description focused on what this skill does rather than embedding routing logic that directs the agent to other skills. Routing decisions should be left to the agent's own judgment.

• 🔵 LOW LLM_RESOURCE_ABUSE — Unbounded Interactive Loop in style_configurator.py

  The interactive_mode() function in style_configurator.py uses a for loop with a maximum of 20 iterations (max_customization_steps = 20), which is a bounded loop. However, the input() calls within the loop can block indefinitely waiting for user input in automated/agent contexts, potentially causing the agent to hang. This is a minor availability concern in non-interactive agent execution contexts. File: scripts/style_configurator.py:196 Remediation: Add timeout handling for input() calls or detect non-interactive environments and skip interactive mode. Use argparse-only mode when running in agent contexts.

• 🔵 LOW LLM_COMMAND_INJECTION — Static Analyzer False Positive: eval/exec Flag in Code Examples

  The static analyzer flagged a Python eval/exec pattern in the SKILL.md code blocks. Upon review, the markdown instruction body contains only illustrative Python code examples for molecular dynamics workflows (OpenMM, MDAnalysis). No actual eval() or exec() calls with user-controlled input are present in the code blocks. The flagged pattern appears to be a false positive from the static scanner. No standalone script files exist in this package. File: SKILL.md Remediation: No action required for this finding. If standalone scripts are added in the future, ensure eval/exec are not used with user-controlled input.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Referenced Files Not Found in Package

  The skill references several files (pdbfixer.py, MDAnalysis.py, matplotlib.py, openmm.py, openff.py) that are not present in the skill package. These appear to be Python import references parsed as file references by the scanner rather than actual bundled files. This is a minor packaging/documentation inconsistency rather than a security threat, but it could cause confusion about the skill's actual contents. File: SKILL.md Remediation: No security action required. These are Python library imports, not bundled files. The skill manifest could be clarified to distinguish between required external libraries and bundled files.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Dependencies in Installation Instructions

  The installation instructions reference packages without version pins (openmm, mdanalysis, nglview, openff-toolkit). Unpinned dependencies can be vulnerable to supply chain attacks if a malicious version is published to PyPI or conda-forge. This is a low-severity informational finding as the packages referenced (OpenMM, MDAnalysis) are well-established scientific computing libraries. File: SKILL.md Remediation: Consider pinning dependency versions in installation instructions (e.g., openmm==8.1.1, mdanalysis==2.7.0) to reduce supply chain risk. For production use, provide a requirements.txt or conda environment.yml with pinned versions.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned External GitHub Dependency Reference

  The skill references the MAP4 fingerprint package from an external GitHub repository (reymond-group/map4) without specifying a pinned version or commit hash. This introduces a supply chain risk where a compromised or updated repository could deliver malicious code to users who follow the installation instructions. File: SKILL.md Remediation: Specify a pinned release tag or commit hash when referencing the external MAP4 package. For example: 'pip install git+https://github.com/reymond-group/map4.git@v1.0' or reference a specific release. Document the expected version and checksum for verification.

• 🔵 LOW LLM_COMMAND_INJECTION — Python eval/exec Usage in Code Examples

  The static analyzer flagged a potential eval/exec usage in a Python code block. After reviewing all code examples in the skill's markdown files, no actual eval() or exec() calls were found in the skill's own code. The code examples demonstrate legitimate ML workflows using molfeat, scikit-learn, and PyTorch. This appears to be a false positive from the static analyzer. No command injection risk is present in the skill's own code. File: references/examples.md Remediation: No action required. The flagged pattern does not represent an actual security risk in this context.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools and compatibility Metadata

  The SKILL.md manifest does not specify the 'allowed-tools' or 'compatibility' fields. While these are optional per the agent skills specification, their absence means there are no declared restrictions on which agent tools this skill may use. The skill instructs the agent to execute Python code, run bash commands (e.g., 'uv pip install'), read and write files, and make use of matplotlib and other libraries. Without declared tool restrictions, the agent has no manifest-level guidance on what operations are permitted. File: SKILL.md Remediation: Add 'allowed-tools' to the YAML frontmatter listing the tools actually needed (e.g., [Python, Bash, Read, Write]) and specify compatibility information. This improves transparency and allows agent runtimes to enforce appropriate restrictions.

• 🔵 LOW LLM_COMMAND_INJECTION — Use of pickle.load Without Trusted-Source Warning (Partial)

  The references/io.md file documents the use of Python's pickle module for graph serialization and explicitly notes 'Only unpickle files from trusted sources; pickle can execute arbitrary code on load.' While the warning is present, the skill's instructions and reference documentation guide users toward using pickle for graph storage without sufficient emphasis on the security risks. The documentation normalizes pickle usage in workflows that may involve user-provided or externally-sourced graph files, which could lead to arbitrary code execution if untrusted pickle files are loaded. File: references/io.md Remediation: The warning is present but should be more prominent. Consider adding a security callout block (e.g., a WARNING admonition) rather than an inline note. Additionally, recommend safer alternatives (GraphML, GML, JSON) as the default for untrusted or user-provided graph files, and reserve pickle only for trusted, internally-generated files.

• 🔵 LOW LLM_COMMAND_INJECTION — SQL Query Construction Guidance Includes Parameterized Query Warning

  The references/io.md file includes a note about SQL injection risk when filtering on user-supplied values, and correctly demonstrates parameterized queries. This is good practice, but the primary example above it shows direct string interpolation context without parameterization, which could be misread by users as the recommended pattern. The skill does not enforce or validate that user-supplied values are sanitized before use in database queries. File: references/io.md Remediation: The parameterized query example is correct. Consider reordering the examples so the safe parameterized version appears first and is labeled as the recommended approach. Remove or clearly mark any non-parameterized examples as unsafe patterns to avoid.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Capability Description May Trigger Unintended Activation

  The skill description is extremely broad, covering ECG, EEG, EDA, RSP, PPG, EMG, EOG, HRV, complexity measures, autonomic nervous system assessment, psychophysiology research, and multi-modal physiological signal integration. While this accurately reflects the NeuroKit2 library's scope, the description is so comprehensive that it may cause the agent to activate this skill for a very wide range of loosely related queries, potentially displacing more appropriate tools or causing unnecessary skill invocation. File: SKILL.md Remediation: Consider narrowing the description to the most common use cases, or structuring it with more specific trigger conditions to avoid over-broad activation.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation Instruction

  The SKILL.md instructions include a command to install the neurokit2 package using 'uv pip install neurokit2' without specifying a version pin. This means the agent could install any version of the package, including potentially compromised future versions. Additionally, a development version install from GitHub is suggested using a zipball URL, which is even less controlled and could pull in untested or malicious code. File: SKILL.md Remediation: Pin the package to a specific known-good version (e.g., 'uv pip install neurokit2==0.2.7'). Remove or clearly warn about the development version install from GitHub, as it bypasses version control and integrity checks.

• 🔵 LOW LLM_UNAUTHORIZED_TOOL_USE — Multiple Referenced Files Not Found in Skill Package

  The SKILL.md references numerous files (neurokit2.py, assets/bio_module.md, assets/eda.md, templates/eeg.md, templates/bio_module.md, templates/eog.md, assets/ecg_cardiac.md, assets/signal_processing.md, templates/complexity.md, assets/complexity.md, assets/hrv.md, templates/signal_processing.md, templates/ecg_cardiac.md, assets/epochs_events.md, assets/emg.md, assets/eeg.md, templates/rsp.md, assets/rsp.md, templates/epochs_events.md, assets/eog.md, templates/hrv.md, templates/eda.md, templates/emg.md) that were not found in the skill package. The instructions direct the agent to 'Load specific reference files as needed using the Read tool.' If these files are absent, the agent may attempt to read non-existent paths, produce errors, or potentially be directed to read from unexpected locations. The missing 'neurokit2.py' is particularly notable as it is a Python script reference that does not exist. File: SKILL.md Remediation: Ensure all referenced files are included in the skill package, or remove references to files that do not exist. Audit the file structure to confirm completeness before distribution.

• 🔵 LOW LLM_DATA_EXFILTRATION — ANTHROPIC_API_KEY Referenced in Metadata (Informational)

  The YAML manifest references ANTHROPIC_API_KEY as an optional environment variable via the 'openclaw' metadata block. The skill correctly instructs users to read this key from the environment (os.environ["ANTHROPIC_API_KEY"]) and explicitly warns against hardcoding credentials. This is a best-practice pattern, not a vulnerability. Flagged as informational only because the key name appears in the manifest metadata. File: SKILL.md Remediation: No action required. The skill already correctly instructs users to set the key in their shell environment and never hardcode it. The manifest declaration is informational metadata only.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Declaration

  The YAML manifest does not specify an allowed-tools field. While this field is optional per the agent skills spec, its absence means there are no declared restrictions on which agent tools this skill can invoke. The skill executes Python scripts, writes files, reads data, and makes optional network calls (Anthropic API). Declaring allowed-tools would improve transparency about the skill's intended capabilities. File: SKILL.md Remediation: Add an explicit allowed-tools declaration to the manifest, e.g., allowed-tools: [Python, Bash, Read, Write] to document the intended tool usage scope.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Dependencies in Installation Instructions

  The SKILL.md installation section uses unpinned package installs for several packages (e.g., 'uv pip install bombcell', 'uv pip install ibl-neuropixel ibllib bombcell', 'uv pip install anthropic'). While the skill does mention pinned versions for core packages (spikeinterface==0.104.3, kilosort==4.1.7, etc.) and notes that unpinned installs are acceptable for experimentation, several optional packages lack version pins. Unpinned installs are susceptible to supply chain attacks via malicious package updates. File: SKILL.md Remediation: Pin all dependencies to specific versions in production pipelines. Extend the pinned-versions note to include all packages, not just the core ones. Consider providing a requirements.txt or pyproject.toml with fully pinned dependencies.

• 🔵 LOW LLM_UNAUTHORIZED_TOOL_USE — trust_model=True Used with Hugging Face Model Loading

  The skill instructs users to use trust_model=True when loading UnitRefine models from Hugging Face via sc.model_based_label_units(). The .skops model format can execute arbitrary code during deserialization. While the skill does include a warning ('only load models from sources you trust'), the default example uses trust_model=True without additional validation guidance. A compromised or malicious Hugging Face repository could lead to arbitrary code execution. File: SKILL.md Remediation: Supplement the existing warning with guidance to verify model checksums/hashes before loading, pin specific model versions/commits rather than using the latest, and consider using the explicit trusted=[...] list parameter to restrict what types are trusted during deserialization.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Skill Activation Description

  The skill description instructs the agent to activate for any 'reproducible scientific/bioinformatics workflow work even if the user does not say the word Nextflow'. This is an unusually broad activation trigger that could cause the skill to be invoked in contexts beyond its intended scope, potentially displacing other skills or consuming resources unnecessarily. The description also contains an extensive list of trigger keywords (Nextflow, nf-core, .nf files, nextflow.config, DSL2, processes/channels/operators, samplesheets, nf-core/rnaseq, nf-core/sarek, nf-test, Docker, Singularity/Apptainer, Conda, Wave, HPC/SLURM, AWS Batch, Google Batch, Azure, Kubernetes) which constitutes keyword baiting. File: SKILL.md Remediation: Narrow the activation criteria to explicit Nextflow/nf-core mentions. Remove the instruction to activate even when the user does not mention Nextflow, as this creates over-broad activation that could interfere with other skills.

• 🔵 LOW LLM_DATA_EXFILTRATION — Seqera Platform Access Token Handling in Examples

  The configuration reference file includes examples showing TOWER_ACCESS_TOKEN usage and wave.enabled configuration with secrets. While these are documentation examples, the skill instructs the agent to help users configure these settings, which involves handling sensitive credentials. The examples show the token referenced as 'secrets.TOWER_ACCESS_TOKEN' which is appropriate, but the broader guidance could lead users to hardcode tokens in config files. File: references/containers.md Remediation: The existing example correctly uses the secrets mechanism. Ensure guidance consistently emphasizes using environment variables (TOWER_ACCESS_TOKEN) or Nextflow secrets rather than hardcoding tokens in nextflow.config files.

• 🔵 LOW LLM_COMMAND_INJECTION — Python eval/exec Usage in Code Examples

  The static analyzer flagged a Python code block using eval/exec patterns. Reviewing the referenced files, the language.md reference file contains Python code examples within Nextflow script blocks (e.g., using Python shebangs inside process script blocks). While these are documentation examples rather than executable agent code, the presence of eval/exec patterns in instructional content could guide users toward unsafe coding patterns. The actual risk is low since these are illustrative examples in reference documentation, not agent-executed scripts. File: references/language.md Remediation: The example is benign documentation. However, consider adding a note that user-controlled values interpolated into script blocks (like ${x}) should be validated before use to prevent command injection in real pipelines.

• 🔵 LOW LLM_PROMPT_INJECTION — External Pipeline Execution from GitHub Without Integrity Verification

  The skill instructs users to run pipelines directly from GitHub (e.g., 'nextflow run nf-core/rnaseq') which fetches and executes remote code. While pinning with '-r ' is recommended, the skill's guidance could lead to running unverified remote code. The skill does recommend pinning revisions, which mitigates this risk, but does not mention verifying pipeline integrity (e.g., checking commit signatures or checksums). File: references/running-pipelines.md Remediation: Add guidance to verify pipeline integrity when pulling from GitHub, such as checking that the revision tag corresponds to a known-good release and considering the use of 'nf-core pipelines download' for air-gapped verification before production use.

• 🔵 LOW LLM_COMMAND_INJECTION — Static Analyzer Flag: eval/exec Usage in Python Code Blocks

  The static pre-scan flagged a MDBLOCK_PYTHON_EVAL_EXEC finding. After reviewing all provided reference files, no direct use of eval() or exec() was found in the visible content. The flag may refer to content in missing/not-found files (assets/, templates/ directories). The risk is low given the legitimate scientific computing context, but warrants noting. Remediation: Review any missing reference files (assets/.md, templates/.md) for eval/exec usage. If present, ensure user-controlled input is never passed to eval/exec.

• 🔵 LOW LLM_DATA_EXFILTRATION — Referenced File omero.py Not Found

  The skill references a file named 'omero.py' in its file list, but this file was not found. A file named 'omero.py' in the local directory could shadow the legitimate 'omero' package (omero-py), potentially causing import confusion. If this file exists and contains malicious code, it could intercept all omero module imports. Remediation: Clarify the purpose of omero.py. If it is a local helper module, rename it to avoid shadowing the omero-py package (e.g., omero_helpers.py). Ensure it does not shadow the installed omero package.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing License Information

  The skill manifest declares license as 'Unknown'. This is a minor metadata completeness issue that reduces transparency about the skill's terms of use and provenance. File: SKILL.md Remediation: Specify an appropriate open-source license (e.g., MIT, Apache 2.0) in the YAML frontmatter.

• 🔵 LOW LLM_UNAUTHORIZED_TOOL_USE — Missing allowed-tools Declaration

  The skill does not declare an allowed-tools field in its YAML manifest. While this field is optional per the agent skills spec, the skill instructs the agent to execute Python code (omero-py API calls, numpy operations, file I/O, network connections to OMERO servers). Declaring allowed-tools would improve transparency about what capabilities the skill requires. File: SKILL.md Remediation: Add an explicit allowed-tools declaration such as: allowed-tools: [Python, Bash] to make the skill's capability requirements transparent.

• 🔵 LOW LLM_DATA_EXFILTRATION — Hardcoded Credentials in Reference Documentation Examples

  Multiple reference files contain hardcoded credentials (USERNAME = 'user', PASSWORD = 'pass') in example code blocks. While these are documentation examples, they establish a pattern that could lead users to hardcode real credentials in their scripts. The skill itself correctly documents using environment variables (OMERO_USER, OMERO_PASSWORD) in its envVars metadata, but the reference files contradict this best practice. File: references/connection.md Remediation: Replace hardcoded credential examples with environment variable patterns consistently across all reference files. Use os.environ.get() pattern as shown in Pattern 3 of connection.md as the primary example.

• 🔵 LOW LLM_DATA_EXFILTRATION — Missing License Information

  The skill manifest declares license as 'Unknown'. While not a direct security threat, missing license information reduces transparency and provenance tracking for the skill package, which is relevant to supply chain trust. File: SKILL.md Remediation: Add a valid SPDX license identifier (e.g., MIT, Apache-2.0) to the SKILL.md manifest to improve provenance and trust.

• 🔵 LOW LLM_DATA_EXFILTRATION — Referenced Files Not Found in Skill Package

  The SKILL.md instructions reference several files that are not present in the skill package: assets/api_reference.md, opentrons.py, and templates/api_reference.md. Only references/api_reference.md was found. Missing referenced files could indicate incomplete packaging or, in a malicious scenario, could be used to load external content if the agent attempts to fetch them from external sources. File: SKILL.md Remediation: Ensure all referenced files are included in the skill package, or remove references to non-existent files from the instructions to prevent confusion or unintended external file fetching.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Declaration

  The skill manifest does not declare an allowed-tools field. While this field is optional per the agent skills specification, its absence means there are no declared restrictions on which agent tools this skill may invoke. The skill's scripts use Python execution and reference file reads, so declaring allowed-tools would improve security posture. File: SKILL.md Remediation: Add an explicit allowed-tools declaration to the SKILL.md manifest, e.g., allowed-tools: [Python, Read] to document and restrict the tools this skill is permitted to use.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Missing Compatibility and Version Pinning in Manifest

  The skill manifest does not specify a compatibility field, and the skill depends on the opentrons Python package without pinning a specific version in the manifest metadata. While the scripts themselves use standard opentrons API calls, unpinned dependencies could expose users to supply chain risks if the opentrons package is compromised or introduces breaking changes. File: SKILL.md Remediation: Add a compatibility field to the manifest and document the required opentrons package version (e.g., opentrons>=7.0.0,<8.0.0) to improve supply chain transparency.

• 🔵 LOW LLM_COMMAND_INJECTION — eval/exec Usage in Code Examples (Static Analyzer Flag)

  The static analyzer flagged a potential eval/exec usage in a Python code block within the skill. After reviewing all provided script files (serial_dilution_template.py, basic_protocol_template.py, pcr_setup_template.py) and the SKILL.md instruction body, no actual eval() or exec() calls were found in the code. The flag may be a false positive from pattern matching within documentation or reference content. No exploitable eval/exec pattern is present in the executable scripts. File: references/api_reference.md Remediation: No immediate action required. Verify the static analyzer's specific match location. If eval/exec appears in any future script additions, ensure user input is never passed to these functions.

• 🔵 LOW LLM_DATA_EXFILTRATION — Missing License and Compatibility Metadata

  The skill manifest does not specify a license or compatibility field. While this is informational and low severity per the analysis framework, the absence of provenance information (license) makes it harder to assess the trustworthiness and intended scope of the skill package. File: SKILL.md Remediation: Add a license field (e.g., 'license: MIT') and a compatibility field to the YAML frontmatter to improve transparency and provenance.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Activation Triggers in Skill Description

  The skill description is extremely broad, claiming to activate for a very wide range of scenarios including 'CPU-bound Python code (loops, large arrays, ML pipelines, graph analytics, image processing) that would benefit from GPU acceleration, even if not explicitly requested.' This over-broad activation language could cause the skill to be invoked in many contexts where it may not be appropriate, and the phrase 'even if not explicitly requested' is a form of activation priority manipulation. File: SKILL.md Remediation: Narrow the activation criteria to cases where the user explicitly requests GPU acceleration or mentions GPU/CUDA/NVIDIA. Remove the 'even if not explicitly requested' clause to avoid unsolicited skill activation.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Versions in Installation Instructions

  The skill instructs users to install packages without version pins (e.g., 'uv add cupy-cuda12x', 'uv add numba numba-cuda', 'uv add warp-lang'). Unpinned dependencies are a supply chain risk — a malicious or compromised package version could be installed without the user's awareness. This applies to all packages referenced in the installation section. File: SKILL.md Remediation: Pin package versions in installation instructions (e.g., 'uv add cupy-cuda12x==13.x.x'). At minimum, document the tested/recommended versions so users can verify they are installing expected packages.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned RAPIDS Packages from Third-Party Index

  Multiple RAPIDS packages are installed from the NVIDIA PyPI index (https://pypi.nvidia.com) without version pins. Using a third-party package index without version pinning increases supply chain risk, as packages could be updated or replaced without notice. File: SKILL.md Remediation: Pin all RAPIDS package versions explicitly. Document the NVIDIA PyPI index as a trusted source and verify package integrity. Consider using hash-based pinning for production deployments.

• 🔵 LOW LLM_UNAUTHORIZED_TOOL_USE — Large Number of Missing Referenced Files

  The skill references a very large number of files (assets/, templates/, and various .py files) that are not present in the skill package. Many of these appear to be Python library modules (cupy.py, numba.py, sklearn.py, etc.) that could be confused with actual Python scripts. The missing files mean the skill's instructions to 'read the relevant reference file(s) before writing any GPU code' cannot be fulfilled, potentially leading to incomplete or incorrect GPU code generation. The .py filenames in the reference list (e.g., cugraph.py, geopandas.py, faiss.py) are unusual for a documentation skill and could indicate an incomplete or misconfigured package. File: SKILL.md Remediation: Audit and remove references to non-existent files. Ensure all referenced files are bundled with the skill package. Remove or clarify the purpose of .py file references that appear to be library names rather than actual scripts.

• 🔵 LOW LLM_DATA_EXFILTRATION — Network Calls to External Services with User Gene Data

  The skill makes network calls to Enrichr (maayanlab.cloud), g:Profiler (biit.cs.ut.ee), and MSigDB (gsea-msigdb.org) transmitting user-provided gene lists. While these are legitimate bioinformatics services, users may not be aware that their gene lists (which could represent proprietary research data, unpublished findings, or sensitive biological information) are being sent to third-party servers. The skill does not warn users about this data transmission. File: SKILL.md Remediation: Add an explicit notice to users that gene lists will be transmitted to third-party servers (Enrichr, g:Profiler, MSigDB). Document the offline alternative (gp.enrich() with local GMT files) more prominently as a privacy-preserving option for sensitive data.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Skill Description with Extensive Keyword Baiting

  The skill description is extremely long and contains an extensive list of trigger keywords ('pathway analysis', 'enrichment analysis', 'GO enrichment', 'KEGG/Reactome pathways', 'GSEA', 'over-representation', 'functional annotation', 'what pathways are my genes in'). While the skill is legitimate and the keywords are relevant, the explicit enumeration of trigger phrases in the description is a pattern associated with capability inflation and activation abuse — attempting to maximize the frequency with which the skill is selected by the agent's routing logic. File: SKILL.md Remediation: Trim the description to a concise functional summary. Avoid embedding explicit trigger-phrase lists in the description field; let the skill's actual capabilities speak for themselves.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation Without Version Constraints

  The setup instructions recommend installing gseapy and gprofiler-official without pinning specific versions ('uv pip install gseapy gprofiler-official'). Unpinned dependencies are a supply-chain risk: a compromised or malicious future release of either package could be silently installed. gseapy in particular makes network calls to Enrichr and MSigDB, so a compromised version could exfiltrate gene lists or analysis results. File: SKILL.md Remediation: Pin exact versions (e.g., 'uv pip install gseapy==1.1.3 gprofiler-official==1.0.0'). Consider adding hash verification or using a lockfile. Document the expected versions in the manifest.

• 🔵 LOW LLM_RESOURCE_ABUSE — Unbounded Permutation Count and Thread Usage

  The GSEA workflow allows configuring permutation_num (default 1000) and threads (default 4) via command-line arguments with no upper bounds enforced. A user or malicious input could specify extremely large permutation counts or thread counts, leading to excessive CPU and memory consumption. The prerank call with very large permutation_num values could run for hours and exhaust system resources. File: scripts/run_enrichment.py Remediation: Add reasonable upper bounds for --permutations (e.g., max 10000) and --threads (e.g., max os.cpu_count()). Validate inputs before passing to gp.prerank() and warn users if values seem excessive.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Dependencies in Script Comments

  The script file also references unpinned installation ('uv pip install gseapy') in its docstring. This reinforces the unpinned dependency risk identified in the SKILL.md setup section. File: scripts/run_enrichment.py:14 Remediation: Pin the version in the installation instruction within the script docstring as well, consistent with any lockfile or pinned requirements.

• 🔵 LOW LLM_COMMAND_INJECTION — Static Analyzer Flagged eval/exec in Markdown Code Blocks (False Positive Context)

  The static pre-scan flagged multiple instances of MDBLOCK_PYTHON_EVAL_EXEC in the SKILL.md markdown body. Upon review, the code blocks in SKILL.md are instructional examples (e.g., pypdf, pdfplumber, reportlab usage). None of the actual script files (scripts/*.py) contain eval() or exec() calls. The markdown code blocks are documentation/examples, not executed code. However, if the agent were to copy-paste and execute these code blocks verbatim with user-supplied filenames without sanitization, there is a minor risk of path traversal or unexpected behavior. The risk is low given the context. File: SKILL.md Remediation: No immediate action required. The flagged patterns are documentation examples. Ensure that when the agent generates code from these templates, it validates user-supplied file paths before use.

• 🔵 LOW LLM_DATA_EXFILTRATION — Proprietary License Without Clear Terms Accessible

  The skill declares 'Proprietary. LICENSE.txt has complete terms' but no LICENSE.txt file is present in the analyzed package. This creates ambiguity about usage rights and could indicate incomplete package distribution. More importantly, proprietary licensing without visible terms means users cannot audit what data handling obligations or restrictions apply. File: SKILL.md Remediation: Include the LICENSE.txt file in the skill package, or use a standard open-source license (e.g., MIT, Apache 2.0) with the full text embedded in the manifest.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Capability Description Used as Activation Trigger

  The skill description is explicitly designed to maximize activation: 'Use this skill whenever the user wants to do anything with PDF files... If the user mentions a .pdf file or asks to produce one, use this skill.' While the capabilities described are legitimate, the description functions as an aggressive activation directive that could cause the skill to be invoked in contexts where it is not the most appropriate tool, or where a simpler built-in capability would suffice. This is a mild form of capability inflation / keyword baiting. File: SKILL.md Remediation: Narrow the activation description to specific scenarios where the skill provides unique value. Avoid imperative activation directives like 'use this skill whenever' that override agent judgment.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — No Version Pinning for External Library Dependencies

  The skill instructs use of multiple external Python libraries (pypdf, pdfplumber, reportlab, pytesseract, pdf2image, pandas, Pillow) without specifying pinned versions. If these libraries are installed via pip without version constraints, a supply chain compromise or breaking change in any dependency could affect skill behavior. The skill does not include a requirements.txt with pinned versions. File: SKILL.md Remediation: Include a requirements.txt with pinned versions (e.g., pypdf==4.x.x, pdfplumber==0.x.x) to ensure reproducible and auditable dependency resolution.

• 🔵 LOW LLM_UNAUTHORIZED_TOOL_USE — Missing allowed-tools Declaration

  The skill does not declare an allowed-tools field in its YAML manifest. While this field is optional per the agent skills spec, its absence means there are no declared restrictions on which agent tools (Read, Write, Bash, Python, etc.) this skill may use. Given that the skill executes Python scripts that write files, read PDFs, and perform OCR, declaring allowed-tools would improve transparency and enable enforcement of least-privilege access. File: SKILL.md Remediation: Add an explicit allowed-tools declaration to the YAML frontmatter, e.g.: allowed-tools: [Python, Bash, Read, Write] to document and constrain the skill's tool usage.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Compatibility Field Not Specified

  The YAML manifest does not specify the 'compatibility' field, which is informational metadata that helps users understand where the skill can be used. This is a minor documentation gap. File: SKILL.md Remediation: Add a compatibility field to the YAML frontmatter specifying the environments where this skill is intended to work, e.g., 'compatibility: Claude.ai, Claude Code, API'.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Multiple Missing Referenced Files May Indicate Incomplete Package

  The skill references numerous files that do not exist in the package: assets/advanced_features.md, templates/quantum_chemistry.md, templates/devices_backends.md, templates/optimization.md, assets/quantum_chemistry.md, assets/quantum_ml.md, assets/optimization.md, pennylane.py, assets/getting_started.md, assets/devices_backends.md, templates/advanced_features.md, templates/quantum_ml.md, assets/quantum_circuits.md, templates/quantum_circuits.md, templates/getting_started.md, qiskit_ibm_runtime.py. The absence of qiskit_ibm_runtime.py is notable as it is referenced as if it were a local module. This could indicate an incomplete or tampered package. File: SKILL.md Remediation: Audit the skill package to ensure all referenced files are present and accounted for. Remove references to non-existent files or add the missing files. Verify that qiskit_ibm_runtime.py is not intended to shadow the legitimate qiskit-ibm-runtime PyPI package.

• 🔵 LOW LLM_DATA_EXFILTRATION — IonQ API Key Hardcoded in Example Code

  The devices_backends.md reference file contains an example showing an IonQ device initialized with a hardcoded placeholder 'your_api_key' string. While this is a documentation placeholder rather than a real credential, it normalizes the pattern of embedding API keys directly in code, which could lead users to follow this insecure pattern with real credentials. File: references/devices_backends.md Remediation: Replace the hardcoded api_key example with a pattern that reads from environment variables or a configuration file, e.g., api_key=os.environ.get('IONQ_API_KEY'). Add a note warning users never to hardcode real credentials.

• 🔵 LOW LLM_PROMPT_INJECTION — Skill References External Documentation URLs as Authoritative Sources

  The SKILL.md states 'These references summarize the Pi documentation at https://pi.dev/docs/latest and each docs page found under it as of this skill version, plus the package pages for pi-subagents, pi-mcp-adapter, pi-interview, and pi-web-access at https://pi.dev/packages/.' The skill also instructs the agent to 'inspect installed TypeScript definitions under node_modules/@earendil-works/pi-coding-agent/dist/ and node_modules/@earendil-works/pi-ai/dist/' when exact API behavior matters. This creates a transitive trust relationship with external URLs and local node_modules content that could be manipulated. File: SKILL.md Remediation: The skill relies on bundled reference files (which are internal and safe) as the primary source. The mention of external URLs is informational context about where the docs came from, not an instruction to fetch them dynamically. The node_modules reference is a concern if the agent is instructed to read arbitrary files from installed packages. Consider clarifying that the agent should rely on the bundled references rather than fetching live documentation or reading node_modules directly.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Capability Description in Manifest

  The skill description is very broad, claiming to handle a wide range of tasks including installing Pi, configuring providers/models/settings, creating skills/extensions/packages/themes/prompt templates, embedding Pi through the SDK, integrating over RPC or JSON event streams, parsing sessions, developing custom Pi providers and TUI components, and using multiple ecosystem packages. While this appears to reflect the actual documented scope of the Pi tool, the breadth of the description could lead to over-activation of the skill in contexts where a more targeted skill would be appropriate. File: SKILL.md Remediation: Consider scoping the description more narrowly or splitting into multiple focused skills if the breadth causes unintended activation. The current description is informational and matches the documented functionality, so this is a low-priority concern.

• 🔵 LOW LLM_UNAUTHORIZED_TOOL_USE — Skill Instructs Agent to Install and Execute Third-Party npm Packages Without Version Pinning

  The skill documents and encourages installation of ecosystem packages (pi-subagents, pi-mcp-adapter, pi-interview, pi-web-access) using unpinned npm install commands (e.g., 'pi install npm:pi-subagents'). The packages.md reference explicitly notes 'Packages run with full system access. Review third-party package code before installing.' The skill itself does not enforce or remind the agent to verify package integrity before installation, and the MCP adapter reference shows installing packages with npx -y (auto-yes) flags. File: references/packages.md Remediation: When guiding users to install packages, recommend pinning to specific versions (e.g., npm:pi-subagents@1.2.3) and reviewing package code before installation. The skill could add a note to always use version-pinned installs for production use. The 'chrome-devtools-mcp@latest' example in the MCP adapter docs is particularly risky as it always pulls the latest version.

• 🔵 LOW LLM_DATA_EXFILTRATION — References to Credential Storage Paths and API Key Handling

  Multiple referenced files document credential storage locations (e.g., ~/.pi/agent/auth.json, ~/.aws credentials for Bedrock, ANTHROPIC_API_KEY, OPENAI_API_KEY, etc.) and key resolution syntax including command execution (!command) and environment variable interpolation. While this is legitimate documentation for the Pi tool, the skill instructs the agent to read and act on these reference files, which contain detailed information about where credentials are stored and how to access them. If the skill is used in a context where the agent has broad tool access, it could inadvertently guide credential exposure. File: references/providers.md Remediation: This is inherent to the Pi documentation skill. Ensure the skill is only used in trusted contexts. The safety defaults section in SKILL.md does advise against storing secrets in project files, which is a positive mitigation. No immediate action required beyond awareness.

• 🔵 LOW LLM_DATA_EXFILTRATION — Cloud Credential Environment Variable Access Documented

  The skill explicitly documents and encourages use of cloud credential environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, GOOGLE_APPLICATION_CREDENTIALS, AZURE_STORAGE_ACCOUNT, etc.) for cloud storage access. While this is standard practice for cloud SDKs, the skill's instructions normalize reading sensitive credential environment variables and passing them to cloud I/O operations. The static analyzer flagged cross-file environment variable exfiltration chains, though review of the actual content shows this is legitimate cloud SDK credential usage rather than malicious exfiltration. No actual exfiltration code was found in the skill files. File: SKILL.md Remediation: This is standard cloud SDK behavior and not a direct threat. However, users should be aware that cloud credentials in environment variables will be used when cloud URIs are provided. Ensure that cloud paths provided to the skill are trusted and that credential scope is minimized (e.g., read-only IAM roles for genomic data access).

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing Referenced Files May Cause Unexpected Behavior

  The skill references several files that do not exist in the package: assets/sql_processing.md, templates/pileup_operations.md, assets/pileup_operations.md, assets/file_io.md, templates/file_io.md, polars.py, templates/sql_processing.md, templates/interval_operations.md, polars_bio.py, assets/interval_operations.md. While the core reference files (references/file_io.md, references/interval_operations.md, references/pileup_operations.md, references/sql_processing.md) are present, the missing files could cause the agent to search for or attempt to load non-existent resources, potentially leading to confusion or unexpected fallback behavior. File: SKILL.md Remediation: Remove references to non-existent files from the skill package, or add the missing files. Audit the SKILL.md instructions to ensure all referenced paths are accurate and the files exist within the skill package directory.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation Recommended in Some Contexts

  The skill's Quick Start section pins polars-bio to version 0.31.0 (uv pip install 'polars-bio==0.31.0'), which is good practice. However, the YAML compatibility field mentions 'uv pip install' without a version pin, and the skill references polars-bio as a dependency without specifying the full dependency chain or hash verification. The referenced files polars.py and polars_bio.py were not found in the package, which could indicate missing or phantom dependencies. File: SKILL.md Remediation: Ensure the compatibility field also specifies the pinned version. Verify that polars.py and polars_bio.py referenced files either exist in the package or are removed from the references list. Consider providing a requirements.txt or pyproject.toml with pinned dependencies and hash verification for reproducible installations.

• 🔵 LOW LLM_DATA_EXFILTRATION — Static Analyzer False Positive: No Actual Exfiltration or Env Var Access Found

  The pre-scan static analyzer flagged BEHAVIOR_ENV_VAR_EXFILTRATION, BEHAVIOR_CROSSFILE_EXFILTRATION_CHAIN, and BEHAVIOR_CROSSFILE_ENV_VAR_EXFILTRATION. After thorough manual review of all provided files (SKILL.md, scripts/run_deseq2_analysis.py, references/api_reference.md, references/workflow_guide.md), no actual environment variable access (os.environ, os.getenv, etc.) and no network calls (requests, urllib, http.client, socket, etc.) were found in any script or instruction. The static analyzer findings appear to be false positives, possibly triggered by pattern matching on benign bioinformatics code. No cross-file exfiltration chain exists in the reviewed content. File: scripts/run_deseq2_analysis.py Remediation: No remediation required for this finding. The skill appears clean of exfiltration patterns. Verify that the static analyzer rules are not producing false positives on bioinformatics library imports.

• 🔵 LOW LLM_DATA_EXFILTRATION — Missing License and Compatibility Metadata

  The skill manifest does not specify a license or compatibility field. While this is informational, the absence of provenance metadata (license, compatibility) makes it harder to audit the skill's trustworthiness and intended deployment scope, particularly for a skill that handles sensitive healthcare/EHR data contexts. File: SKILL.md Remediation: Add a license field (e.g., MIT, Apache-2.0) and a compatibility field to the YAML frontmatter to improve auditability and trust.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Over-Broad Skill Activation Description with Keyword Baiting

  The skill description and SKILL.md 'When to use this skill' section contain an extensive list of trigger keywords and explicitly instruct the agent to activate 'even if PyHealth isn't named explicitly.' This broad activation language could cause the skill to be invoked in contexts where it is not appropriate, inflating its perceived scope and priority over other skills. File: SKILL.md Remediation: Narrow the activation criteria to cases where PyHealth is explicitly mentioned or clearly implied. Avoid instructing the agent to activate on broad domain keywords that could match unrelated queries.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Declaration

  The skill does not declare an allowed-tools field in its manifest. While optional per spec, the skill instructs the agent to run Python scripts (assets/starter_pipeline.py) and bash commands (uv run, pip install equivalents). Without an explicit allowed-tools declaration, there is no manifest-level constraint on what tools the agent may use. File: SKILL.md Remediation: Add 'allowed-tools: [Python, Bash]' to the YAML frontmatter to explicitly declare the tools this skill requires, enabling downstream policy enforcement.

• 🔵 LOW LLM_DATA_EXFILTRATION — Multiple Referenced Files Not Found in Package

  The skill references numerous files that are not present in the package (templates/material-handling.md, assets/analytical-equipment.md, templates/liquid-handling.md, assets/hardware-backends.md, assets/material-handling.md, templates/resources.md, pylabrobot.py, templates/visualization.md, assets/visualization.md, templates/analytical-equipment.md, templates/hardware-backends.md, assets/liquid-handling.md, assets/resources.md). The absence of pylabrobot.py is notable as it is referenced as a script file. Missing files could indicate an incomplete package or that the agent may attempt to fetch them from external sources. File: SKILL.md Remediation: Ensure all referenced files are bundled within the skill package. Remove references to files that do not exist, or document clearly that they are optional. Verify pylabrobot.py is intentionally absent or include it.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Metadata

  The skill manifest does not specify the 'allowed-tools' field. While this is optional per the agent skills spec, the skill instructs the agent to execute Python code for laboratory automation, including hardware control, file I/O (JSON serialization), and network documentation references. Declaring allowed tools would improve transparency about the skill's intended capabilities. File: SKILL.md Remediation: Add an explicit 'allowed-tools' field to the YAML frontmatter listing the tools the skill requires, e.g., allowed-tools: [Python, Read, Write].

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing Compatibility Metadata

  The skill manifest does not specify the 'compatibility' field. Given that the skill controls physical laboratory hardware (Hamilton STAR, Opentrons OT-2, Tecan EVO) and requires USB/network connectivity, documenting compatibility constraints would help users understand the execution environment requirements. File: SKILL.md Remediation: Add a 'compatibility' field to the YAML frontmatter describing platform requirements and hardware dependencies.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation Instruction

  The SKILL.md instructs users to install PyLabRobot via 'uv pip install pylabrobot' without specifying a version pin. This exposes the skill to supply chain risks where a compromised or malicious version of the package could be installed. Laboratory automation software controlling physical hardware carries elevated risk from supply chain compromise. File: SKILL.md Remediation: Pin the package to a specific known-good version, e.g., 'uv pip install pylabrobot==0.x.y', and document the expected package hash or reference the official PyPI page for verification.

• 🔵 LOW LLM_DATA_EXFILTRATION — Missing Referenced Files May Indicate Incomplete Package

  Several files referenced in the SKILL.md instructions are not present in the skill package. These include references/hierarchical_model_template.py, templates/distributions.md, pymc.py, templates/hierarchical_model_template.py, arviz.py, scripts.py, assets/sampling_inference.md, templates/linear_regression_template.py, assets/distributions.md, templates/sampling_inference.md, and references/linear_regression_template.py. While this is primarily a completeness issue, missing files could cause the agent to seek external sources to fulfill the skill's stated functionality, potentially introducing indirect trust risks if the agent fetches replacements from untrusted locations. File: SKILL.md Remediation: Ensure all referenced files are bundled within the skill package. Remove references to non-existent files from SKILL.md or add the missing files to the package.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Inconsistent Referenced File Paths Suggesting Capability Inflation

  The SKILL.md references files across multiple directory structures (references/, assets/, templates/) for the same logical content (e.g., algorithms.md appears as references/algorithms.md, assets/algorithms.md, and templates/algorithms.md). Many of these files are listed as 'not found'. This inconsistency may cause the agent to search broadly or behave unpredictably when resolving references, but does not represent a direct security threat. The pre-scan flagged cross-file exfiltration chains, but review of actual script content shows no evidence of data exfiltration or malicious chaining. File: SKILL.md Remediation: Consolidate reference file paths to a single consistent directory structure. Remove references to non-existent files (assets/, templates/ variants) to avoid agent confusion and unnecessary file-system traversal.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools and compatibility metadata

  The SKILL.md manifest does not specify 'allowed-tools' or 'compatibility' fields. While these are optional per the agent skills spec, their absence means there are no declared restrictions on which agent tools this skill may invoke. Given the skill's scope (file I/O, subprocess execution via samtools/bcftools), explicit tool declarations would improve transparency. File: SKILL.md Remediation: Add 'allowed-tools' and 'compatibility' fields to the YAML frontmatter to clearly declare intended tool usage and supported environments.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Missing allowed-tools Declaration

  The SKILL.md manifest does not declare an 'allowed-tools' field. The skill executes Python scripts (benchmark_evaluation.py, molecular_generation.py, load_and_split_data.py) and Bash commands (pip/uv install), and makes network calls to download datasets. Without an explicit allowed-tools declaration, there is no agent-level restriction on what tools this skill can invoke, reducing the ability to audit or constrain its capabilities. File: SKILL.md Remediation: Add an explicit 'allowed-tools' field to the YAML frontmatter listing the tools actually needed, e.g., 'allowed-tools: [Python, Bash]'. This improves transparency and allows agent runtimes to enforce capability restrictions.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Installation via pip/uv

  The SKILL.md instructs users to install PyTDC using 'uv pip install PyTDC' and 'uv pip install PyTDC --upgrade' without specifying a pinned version. This means the skill will always install the latest available version of PyTDC and its dependencies (numpy, pandas, tqdm, seaborn, scikit_learn, fuzzywuzzy), which could introduce supply chain risks if any of these packages are compromised or if a malicious version is published. The '--upgrade' flag further increases this risk by actively pulling newer, potentially untested versions. File: SKILL.md Remediation: Pin the PyTDC version to a specific known-good release (e.g., 'uv pip install PyTDC==0.4.1'). Also pin core dependencies with exact versions. Periodically review and update pinned versions after security review.

• 🔵 LOW LLM_DATA_EXFILTRATION — External Network Calls to Third-Party APIs (Entity Retrieval Utilities)

  The references/utilities.md documents utility functions cid2smiles() and uniprot2seq() that make outbound network calls to PubChem and UniProt databases respectively. While these are legitimate scientific databases, the skill documentation does not disclose these network calls to users, and the data returned from these external APIs is used directly in ML pipelines without validation. Additionally, the PyTDC library itself downloads datasets from remote servers (e.g., ChEMBL_V29, BindingDB_Kd) during runtime. The pre-scan flagged environment variable access with network calls, which warrants attention. File: references/utilities.md Remediation: Document all external network calls made by the skill in the SKILL.md manifest. Validate and sanitize data returned from external APIs before use. Consider caching results locally to reduce external dependency exposure.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Unpinned Package Dependency

  The skill instructs installation of pyzotero without a pinned version (e.g., 'uv add pyzotero' or 'uv add "pyzotero[cli]"'). While the SKILL.md mentions 'pyzotero 1.13+' as a minimum, the installation commands do not pin to a specific version. A compromised or malicious future version of pyzotero on PyPI could introduce supply chain risks. The MCP reference also suggests 'uvx --from "pyzotero[mcp]" pyzotero-mcp' which always fetches the latest version. File: SKILL.md Remediation: Pin the pyzotero dependency to a specific version in installation instructions, e.g., 'uv add pyzotero==1.13.0'. This ensures reproducible installs and protects against supply chain attacks via version bumps.

• 🔵 LOW LLM_DATA_EXFILTRATION — Environment Variable Access for API Credentials

  The skill reads sensitive environment variables (ZOTERO_API_KEY, ZOTERO_LIBRARY_ID, ZOTERO_LIBRARY_TYPE) and passes them to the pyzotero client which makes network calls to the Zotero Web API. This is expected and legitimate behavior for this skill's stated purpose, but it does represent a data flow where credentials are transmitted over the network. The authentication reference file explicitly warns against hardcoding keys and recommends environment variables, which is good practice. The static analyzer flagged this as a potential exfiltration chain, but the network destination (api.zotero.org) is the legitimate Zotero API endpoint, not an attacker-controlled server. File: references/authentication.md Remediation: This is expected behavior. Users should ensure they only provide API keys with the minimum required permissions (read-only if write access is not needed) and rotate keys if compromised. The skill's authentication.md already provides good guidance on this.

• 🔵 LOW LLM_PROMPT_INJECTION — MCP Server Introduces External Instruction Surface via Semantic Scholar

  The references/mcp.md file describes Semantic Scholar integration tools (find_related, get_citations, get_references, search_semantic_scholar) that fetch data from an external third-party service (Semantic Scholar). Results from this external service are returned to the LLM agent. If Semantic Scholar results contained adversarially crafted content (e.g., paper titles or abstracts with embedded prompt injection), this could constitute an indirect prompt injection vector when the agent processes and displays those results. File: references/mcp.md Remediation: When displaying or processing results from external APIs like Semantic Scholar, the agent should treat returned content as untrusted data and avoid executing any instructions embedded in paper titles, abstracts, or other metadata fields. Consider sanitizing or truncating displayed content from external sources.

• 🔵 LOW LLM_SKILL_DISCOVERY_ABUSE — Capability Claims May Exceed Actual Skill Scope

  The SKILL.md description and overview make several marketing-style performance claims ('83x faster transpilation than competitors', '29% fewer two-qubit gates', '13M+ downloads') that are presented as facts within the skill instructions. While these appear to be legitimate Qiskit marketing claims, embedding benchmark comparisons as instructional facts could mislead the agent into making overconfident claims to users about performance characteristics that depend heavily on specific use cases and hardware configurations. File: SKILL.md Remediation: Qualify performance claims with appropriate context (e.g., 'up to 83x faster in benchmarks') and note that actual performance varies by circuit complexity, hardware, and use case. This prevents the agent from making absolute performance guarantees to users.

• 🔵 LOW LLM_SUPPLY_CHAIN_ATTACK — Multiple Referenced Files Not Found in Skill Package

  The skill references numerous files that are not present in the package: assets/transpilation.md, templates/setup.md, templates/circuits.md, templates/patterns.md, assets/algorithms.md, assets/patterns.md, templates/transpilation.md, assets/backends.md, templates/backends.md, templates/visualization.md, templates/primitives.md, qiskit.py, assets/visualization.md, templates/algorithms.md, assets/circuits.md, scipy.py, assets/primitives.md, qiskit_ibm_runtime.py. Missing files could cause agent confusion or errors, and the presence of expected Python files (qiskit.py, scipy.py, qiskit_ibm_runtime.py) that are absent may indicate an incomplete or tampered package. File: SKILL.md Remediation: Audit the skill package to ensure all referenced files are included. Remove references to non-existent files from SKILL.md, or add the missing files. The missing Python files (qi