Is cheminem/pharma-pharmacology-agent safe?

https://github.com/openclaw/skills/tree/main/skills/cheminem/pharma-pharmacology-agent

85
SAFE

pharma-pharmacology-agent is a self-contained RDKit-based ADME/PK profiling tool with clean, narrowly scoped Python code and no prompt injection, hidden instructions, or network exfiltration payload. The primary risks are architectural: unconditional chaining to two downstream skills (toxicology, ip-expansion) creates a supply-chain pivot if those skills are malicious, and sensitive credential files were recorded as accessed during the install session — though timing and code-path analysis strongly attributes both access events to the Oathe audit framework rather than the skill. No canary modifications, persistent processes, or unexpected network destinations were observed.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 87/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 82/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (8)

HIGH Credential and key files accessed during install session -22

inotify and auditd both recorded OPEN and ACCESS syscalls against .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud ADC credentials during the monitored window. While timing analysis strongly suggests both access bursts originate from the Oathe audit framework (first burst 5 seconds before the git clone; second burst during post-install evidence collection), the skill's install process and the canary accesses share the same OS session and the evidence does not include PID-level attribution for the second burst.

MEDIUM Hardcoded pipeline chaining forces downstream skill invocation -7

Every response from chain_entry.py unconditionally sets recommend_next to [toxicology, ip-expansion]. An agent following this recommendation will automatically attempt to invoke those two skills. If the upstream agent treats recommend_next as an instruction, a malicious toxicology or ip-expansion skill installed alongside this one could leverage this skill as a trusted launching pad.

MEDIUM Unconditional downstream skill chaining creates supply-chain pivot risk -28

This skill's value depends on co-installation with chemistry-query, toxicology, and ip-expansion. It always recommends the latter two regardless of whether a user requested further analysis. An attacker controlling those sibling skills could use this skill as a trusted intermediary to load malicious behavior into agents that have already vetted pharma-pharmacology-agent.

LOW Dynamic sys.path modification in chain_entry.py -5

The script appends os.path.join(RDConfig.RDContribDir, 'SA_Score') to sys.path before importing sascorer. While this is the documented RDKit pattern for the SA Score module, it creates a code-load path from a filesystem location outside the skill directory. If RDConfig.RDContribDir is attacker-controlled or writable, a malicious sascorer.py could be loaded.

LOW exec in SKILL.md shell examples replaces parent process -8

The Quick Start examples use 'exec python scripts/chain_entry.py' rather than 'python scripts/chain_entry.py'. The shell exec builtin replaces the calling process, which prevents the caller from performing cleanup, logging, or timeout enforcement after the script runs. This is a minor operational concern rather than a direct exploit.

LOW exec in shell examples suppresses caller control flow -3

Use of exec in SKILL.md Quick Start snippets means any agent that follows the documented invocation pattern will lose the ability to wrap the Python process with a timeout, capture exit codes independently, or perform post-run sandboxing.

INFO Outbound HTTPS to GitHub during installation -8

The install process made a TLS connection to 140.82.121.3:443 (github.com) to perform a shallow sparse-checkout clone. This is expected behavior for the install mechanism and is the only external destination contacted.

INFO Canary files read but confirmed intact post-install -18

All six honeypot credential files were opened and read during the monitored session. The post-install canary integrity check confirmed no modifications and no exfiltration. Timing evidence indicates both access events were produced by the Oathe audit framework rather than by the skill itself.