RxnIM

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent chemistry image-parsing helper, but its online workflow sends reaction images to a HuggingFace service.

Use the HuggingFace API only for reaction images you are comfortable sending to a third-party service. For confidential research, unpublished routes, or regulated data, prefer a reviewed local deployment in an isolated environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs sending user-provided reaction images to a third-party HuggingFace Space, but it does not warn that uploaded images and embedded metadata may leave the local environment and be processed by an external service. This creates a real privacy and data-governance risk, especially because chemistry reaction images may contain proprietary research, confidential process information, or regulated data.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal