Is huifer/admet-prediction safe?

https://github.com/openclaw/skills/tree/main/skills/huifer/admet-prediction

94
SAFE

The huifer/admet-prediction skill is a legitimate pharmaceutical drug-discovery tool implementing ADMET property prediction using RDKit physicochemical descriptors and rule-based QSAR models. SKILL.md contains no prompt injection, hidden instructions, or exfiltration directives. The Python script is clean with no network calls, no credential access, and no malicious behaviors. Canary file accesses observed during monitoring are confirmed to originate from the audit infrastructure's own pre- and post-install integrity checks, not from the skill. The primary residual risks are inherent to any science-computation skill: pip dependency installation and the script accepting arbitrary file paths from the agent.

Category Scores

Prompt Injection 98/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (6)

LOW Executable Python script reads and writes arbitrary filesystem paths -10

admet_predict.py accepts --library, --input, and --output arguments that are passed directly to open() and RDKit file readers without path sanitization. If an LLM agent is manipulated into providing a crafted path, the script could read non-SDF/SMI files (the .smi branch opens any file as text) or write output to sensitive locations. Risk requires active adversarial prompt manipulation of the agent.

LOW Skill requires pip install of third-party packages -5

SKILL.md instructs pip install rdkit and optionally pip install deepchem admet-x. These are legitimate published packages, but installing packages during skill operation modifies the user's Python environment and introduces PyPI supply-chain trust assumptions.

LOW Output path is fully user/agent-controlled with no sanitization -5

The save() method writes JSON to whatever path args.output or a hardcoded default specifies. An agent could be directed to write to an unintended location. No actual exfiltration capability exists — data stays local — but path control without sandboxing is worth noting.

INFO Normal GitHub installation via git sparse-checkout 0

Installation performs git clone --depth 1 from github.com/openclaw/skills.git followed by git sparse-checkout set skills/huifer/admet-prediction and cp. This matches the expected monorepo skill installation pattern with no anomalies.

INFO Canary reads are audit-infrastructure reads only 0

Six canary files (.env, id_rsa, .aws/credentials, .npmrc, docker/config.json, gcloud credentials) were accessed via inotify and auditd at timestamps 1771935249.673 (pre-install) and 1771935267.827 (post-install). Both are the audit system's own baseline-capture and final-check reads. The skill's Python code contains zero references to these paths.

INFO Missing referenced file: reference/pk-models.md -2

SKILL.md lists reference/pk-models.md in its References section but this file was not included in the skill. The SKILL.md contains no instruction for the agent to fetch it from an external source, so this is a documentation gap rather than a security risk.