Back to skill

Security audit

PharmaClaw Chemistry Query

Security checks across malware telemetry and agentic risk

Overview

This is a chemistry/RDKit toolkit that makes declared public API calls and writes expected chemistry output files, with some operational risks users should understand before running it.

Install only if public chemistry API lookups and local output files are acceptable for your workflow. For confidential compounds, avoid name lookups or run offline-only RDKit actions; review or disable the optional lab_hook integration if you also use pharmaclaw-lab-ui; and be aware that OPSIN conversion downloads and runs a checksum-verified Java JAR on first use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
warnings.append(proc.stderr.strip())

        # Draw
        proc = subprocess.run(
            [sys.executable, os.path.join(script_dir, 'rdkit_mol.py'),
             '--smiles', canonical_smiles, '--action', 'draw', '--output', png_path],
            cwd=script_dir, capture_output=True, text=True, timeout=30)
Confidence
87% confidence
Finding
proc = subprocess.run( [sys.executable, os.path.join(script_dir, 'rdkit_mol.py'), '--smiles', canonical_smiles, '--action', 'draw', '--output', png_path],

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
The chemspace action accepts an arbitrary local file path and reads it without constraining the path to a dedicated workspace or expected input directory. In an agent environment, this can expose unintended local files to the skill and enable data exfiltration or sensitive file probing if an attacker can influence the input_file argument.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill silently modifies sys.path to import code from an external sibling project and transmits analysis state and compound metadata through lab_update. This undeclared cross-component integration increases the attack surface, enables covert data exfiltration or unexpected side effects, and makes the skill's trust boundary broader than its stated chemistry-query purpose.

Description-Behavior Mismatch

Low
Confidence
83% confidence
Finding
The skill persists visualization images to disk even though the user may only expect transient query/analysis behavior. In agent environments, unexpected file creation can leak sensitive inputs, consume storage, and interact badly with shared workspaces, especially when paired with user-influenced filenames.

Description-Behavior Mismatch

Medium
Confidence
77% confidence
Finding
The script's behavior does not match the declared skill scope: it queries ChEMBL bioactivity and mechanism data rather than the advertised PubChem/RDKit chemistry functionality. This mismatch is dangerous because hidden or undeclared capabilities reduce operator visibility, can bypass review expectations, and in a chemistry context expose pharmacology/targeting data that may be more sensitive or dual-use than generic compound-property lookups.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The script performs an on-demand external download of an executable JAR and then prepares it for local execution. Even though the artifact is checksum-pinned, this expands the trust boundary, introduces supply-chain and availability risk, and creates behavior not clearly declared in the skill description, which matters in restricted or enterprise agent environments.

Context-Inappropriate Capability

Medium
Confidence
72% confidence
Finding
The skill invokes a local Java runtime to execute an external JAR, which is a meaningful expansion of execution capability beyond simple PubChem/RDKit querying. In agent contexts, undeclared subprocess execution increases attack surface, complicates sandboxing expectations, and may enable abuse if the environment or dependency is compromised.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The file implements PubMed literature search even though the skill manifest describes a PubChem/RDKit chemistry-query capability. That scope mismatch expands the agent's behavior beyond declared functionality, which can bypass user/operator expectations, policy gating, or review boundaries for allowed external data sources. In an agent skill, undeclared capabilities are risky because they may be invoked without appropriate authorization or monitoring.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill describes automatic external API use and first-run download of an OPSIN JAR without an explicit user-facing warning or consent step. Silent network activity and dependency retrieval are risky because they can leak user queries to third parties, violate offline/regulated deployment expectations, and introduce supply-chain exposure even when checksum verification is present.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
When a non-SMILES target is provided, the code forwards the user-supplied compound name to query_pubchem.py, which likely sends it to PubChem. In an agent setting, this can leak user-provided research targets, proprietary compound names, or sensitive workflow context to an external service without any explicit consent or disclosure in this file.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.