審計歷史

The static analysis flagged 415 patterns, but 95% are FALSE POSITIVES from markdown documentation. The backtick patterns are markdown code delimiters, not shell execution. The API key patterns show example environment variable names in documentation, not actual secrets. The skill is a legitimate Stanford SNAP lab biomedical research framework. The code execution + network + credential combination is the intended design for an AI agent that generates bioinformatics analysis code. Proper security warnings are documented recommending sandboxed execution.

The static analysis flagged 415 patterns, but 95% are FALSE POSITIVES from markdown documentation. The backtick patterns are markdown code delimiters, not shell execution. The API key patterns show example environment variable names in documentation, not actual secrets. The skill is a legitimate Stanford SNAP lab biomedical research framework. The code execution + network + credential combination is the intended design for an AI agent that generates bioinformatics analysis code. Proper security warnings are documented recommending sandboxed execution.

Biomni is a legitimate biomedical research framework from Stanford that requires code execution capabilities for its core functionality. While static analysis flags many security patterns, these are necessary for an AI agent that generates and executes analysis code. The skill includes proper security warnings and recommends sandboxed execution.

This skill provides documentation and helper scripts for the biomni biomedical AI framework. The setup script runs external commands (conda) and writes API keys to .env files, which are legitimate setup operations but expand the attack surface. No evidence of obfuscation, credential theft, or malicious network calls.