Trust Assessment
diffdock received a trust score of 33/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 1 critical, 2 high, 1 medium, and 1 low severity. Key findings include Unsafe deserialization / dynamic eval, Dangerous call: __import__(), Network egress to untrusted endpoints.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Potential Command Injection via Unsanitized User Inputs in Shell Commands The `SKILL.md` defines several shell commands that the AI agent is expected to execute, including `python -m inference`, `python scripts/...`, and `gnina`. These commands take various user-controlled inputs such as file paths (`--protein_path`, `--ligand` if it's a file, `protein_path` and `ligand_description` within CSVs), ligand SMILES strings (`--ligand`), and output directories (`--out_dir`). If the AI agent directly interpolates these untrusted inputs into shell command strings without proper sanitization or escaping, an attacker could inject arbitrary shell commands. For example, a malicious ligand SMILES string like `"; rm -rf /; #"` or a crafted file path could lead to arbitrary code execution. While `scripts/prepare_batch_csv.py` performs some validation for CSV inputs, this validation is not explicitly mandated for all input types (e.g., single docking `--ligand` argument) and might not prevent injection if the agent constructs the command before validation or uses `shell=True` with unescaped inputs. The AI agent should use a safe method for executing external commands, such as `subprocess.run()` with `shell=False` and passing arguments as a list, ensuring all user-controlled inputs are treated as literal strings and not interpreted as shell commands. Alternatively, all user inputs must be rigorously sanitized and shell-escaped (e.g., using `shlex.quote()`) before being passed to `subprocess.run(..., shell=True)`. The validation provided by `scripts/prepare_batch_csv.py` should be explicitly integrated for all relevant user inputs before command construction, not just for batch CSVs. | LLM | SKILL.md:79 | |
| HIGH | Unsafe deserialization / dynamic eval Python builtins/import manipulation Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | cli-tool/components/skills/scientific/diffdock/scripts/setup_check.py:40 | |
| HIGH | Dangerous call: __import__() Call to '__import__()' detected in function 'check_package'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/scientific/diffdock/scripts/setup_check.py:40 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/ad9aa11fc1eb5bbb)
Powered by SkillShield