Back to skill

Security audit

Pharmaclaw Tox Agent

Security checks across malware telemetry and agentic risk

Overview

This is a local chemistry screening helper with overstated toxicology claims, but it does not show hidden access, persistence, exfiltration, or destructive behavior.

Use this only as an early local heuristic for SMILES strings, not as authoritative toxicology, clinical, regulatory, or drug-safety advice. Be careful with confidential compound structures if connecting it to downstream pipeline agents, and verify the RDKit dependency source before installing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill advertises a three-level Low/Medium/High risk classifier, but the implementation collapses all non-low outcomes into a single 'Medium/High' label. In a toxicology workflow, this can mislead downstream agents or users into treating materially different safety profiles as equivalent, causing poor prioritization or unsafe decisions.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The manifest claims PAINS substructure alerts, but the code checks only two hard-coded SMARTS patterns, which is far from a real PAINS screen. In a drug-safety context, this can create false assurance by missing many known assay-interference motifs, leading unsafe compounds to be under-classified and propagated to downstream suggestion workflows.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list contains broad terms such as "risk," "safety," and "QED" that are likely to match many unrelated user requests, causing the skill to activate outside its intended toxicology context. In a chained pipeline, unintended invocation can route sensitive chemistry or pharmacology queries into downstream components and produce misleading or overconfident safety assessments.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.