Back to skill

Security audit

Protein Struct Viz

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed PyMOL script generator whose local file-writing and optional structure-fetch commands fit its protein-visualization purpose.

Install only if you intend to generate local PyMOL scripts. Keep output filenames inside your project workspace, avoid untrusted residue/color/path strings, and review the generated `.pml` before running it in PyMOL, especially when using PDB IDs that may cause PyMOL to fetch structures externally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
81% confidence
Finding
The documentation says there are no Python package dependencies while also advertising network/API capability and external API calls, which is inconsistent and can conceal the true attack surface. That discrepancy may cause reviewers or operators to underestimate supply-chain, egress, or data-exposure risks, especially if the skill fetches structures by PDB ID from external services.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill describes generating executable PyMOL script files and mentions network/API behavior without an explicit warning about filesystem writes, external requests, or possible disclosure of user-supplied structure data. Because `.pml` files are command scripts that may later be executed in PyMOL, insufficient warning and validation increases the risk of unsafe script content, unintended file impact, and privacy surprises for users.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.