Trust Assessment
pubchem-database received a trust score of 44/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 7 findings: 3 critical, 0 high, 4 medium, and 0 low severity. Key findings include Unsafe deserialization / dynamic eval, Suspicious import: requests, Arbitrary File Write via pcp.download and open().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 3/100, indicating areas for improvement.
Last analyzed on February 20, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary File Write via pcp.download and open() The skill allows writing files to the local filesystem using `pubchempy.download()` and direct `open()` calls. The `filename` parameter for `pcp.download` (wrapped in `scripts/compound_search.py`) and the path for `open()` (demonstrated in `SKILL.md`) are derived from skill inputs. An attacker could specify a malicious path (e.g., `/tmp/malicious.sh`, `../../sensitive_config.json`) to write or overwrite arbitrary files on the agent's system. The `overwrite=True` flag in `pcp.download` further increases the risk by allowing existing files to be replaced without confirmation. 1. Restrict file write operations to a designated, isolated sandbox directory. 2. Sanitize or validate `filename` inputs to prevent directory traversal (e.g., `../`, absolute paths). 3. Avoid `overwrite=True` or implement strict checks before overwriting. 4. Consider returning file content directly to the user/agent instead of writing to disk, or using temporary files that are immediately deleted. | LLM | scripts/compound_search.py:170 | |
| CRITICAL | Arbitrary File Write via pcp.download and open() (SKILL.md example) The skill's documentation demonstrates writing files to the local filesystem using `pubchempy.download()` and direct `open()` calls. The `filename` parameter for `pcp.download` and the path for `open()` are derived from skill inputs. An attacker could specify a malicious path (e.g., `/tmp/malicious.sh`, `../../sensitive_config.json`) to write or overwrite arbitrary files on the agent's system. The `overwrite=True` flag in `pcp.download` further increases the risk by allowing existing files to be replaced without confirmation. 1. Restrict file write operations to a designated, isolated sandbox directory. 2. Sanitize or validate `filename` inputs to prevent directory traversal (e.g., `../`, absolute paths). 3. Avoid `overwrite=True` or implement strict checks before overwriting. 4. Consider returning file content directly to the user/agent instead of writing to disk, or using temporary files that are immediately deleted. | LLM | SKILL.md:200 | |
| CRITICAL | Arbitrary File Write via pcp.download and open() (SKILL.md example) The skill's documentation demonstrates writing files to the local filesystem using `pubchempy.download()` and direct `open()` calls. The `filename` parameter for `pcp.download` and the path for `open()` are derived from skill inputs. An attacker could specify a malicious path (e.g., `/tmp/malicious.sh`, `../../sensitive_config.json`) to write or overwrite arbitrary files on the agent's system. The `overwrite=True` flag in `pcp.download` further increases the risk by allowing existing files to be replaced without confirmation. 1. Restrict file write operations to a designated, isolated sandbox directory. 2. Sanitize or validate `filename` inputs to prevent directory traversal (e.g., `../`, absolute paths). 3. Avoid `overwrite=True` or implement strict checks before overwriting. 4. Consider returning file content directly to the user/agent instead of writing to disk, or using temporary files that are immediately deleted. | LLM | SKILL.md:217 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | cli-tool/components/skills/scientific/pubchem-database/scripts/bioactivity_query.py:5 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | cli-tool/components/skills/scientific/pubchem-database/scripts/compound_search.py:5 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | cli-tool/components/skills/scientific/pubchem-database/scripts/bioactivity_query.py:15 | |
| MEDIUM | Unpinned Python Dependencies The skill's installation instructions (`uv pip install pubchempy`, `uv pip install requests`, `uv pip install pandas`) do not specify exact version numbers for its Python dependencies. This can lead to non-deterministic builds, where future installations might pull in newer versions that introduce breaking changes, security vulnerabilities, or even malicious code if a package maintainer's account is compromised. Pin all dependencies to exact versions (e.g., `pubchempy==1.0.4`, `requests==2.31.0`) using a `requirements.txt` or similar lock file. Regularly audit and update these pinned versions. | LLM | SKILL.md:260 |
Scan History
Embed Code
[](https://skillshield.io/report/7f4216fd2ff26205)
Powered by SkillShield