MRAgent Security Report — Low Risk | ClawSafe

20 /100

MRAgent

LLM-powered automated Mendelian Randomization for causal discovery in biomedical research

MRAgent is a legitimate biomedical Mendelian Randomization analysis tool. All observed behaviors (R script execution, API key usage, network calls) are declared or consistent with the documented scientific purpose. No data exfiltration, reverse shells, or hidden C2 activity was found. Minor security flaws include unpinned dependencies and use of os.system() for R execution.

Skill NameMRAgent

Duration140.2s

Enginepi

✓

Safe to install

Approve for use with caution: pin all Python and R package versions before deployment, replace os.system() with subprocess.run() for better argument isolation, and do not include .idea/deployment.xml with credentials in distributable packages.

Findings 7 items

Severity	Finding	Location
Low	os.system() used for R execution instead of subprocess agent_tool.py uses os.system() three times (lines 382, 483, 672) to execute R scripts. While the Rscript binary is declared in SKILL.md, os.system() invokes a shell which has higher attack surface than subprocess.run(). The R scripts are dynamically generated and include the gwas_token as a string parameter. `os.system('R --slave --no-save --no-restore --no-site-file --no-environ -f test.R --args')` → Replace os.system() with subprocess.run() using a list of arguments for better isolation. Pass gwas_token via environment variable rather than embedding in the command line.	`mrmrmr/mragent/agent_tool.py:382`
Low	eval() used for parsing CSV cell values into Python lists agent_workflow.py:1041-1042 uses eval() to convert string representations of Python lists (stored in CSV cells) back into actual lists. The source is internal agent output, not user-controlled external input, which limits exploitability. `Outcome_id_list = eval(Outcome_id) Exposure_id_list = eval(Exposure_id)` → Replace eval() with ast.literal_eval() which only evaluates Python literals (lists, dicts, strings, numbers, booleans, None) and cannot execute arbitrary code.	`mrmrmr/mragent/agent_workflow.py:1041`
Low	R packages auto-installed without version pinning MRtool and MRtool_MRlap functions generate R scripts that call install.packages() for TwoSampleMR, ieugwasr, vcfR, MRlap, etc. without version constraints. This allows R to fetch the latest version from CRAN at runtime. `if (!requireNamespace("TwoSampleMR", quietly = TRUE)) {{ install.packages("TwoSampleMR") }}` → Pin R package versions in install.packages() calls, e.g., install.packages("[email protected]"), or document that a specific version of R and these packages must be pre-installed.	`mrmrmr/mragent/agent_tool.py:268`
Low	Unpinned Python dependencies requirements.txt and pyproject.toml use caret version ranges (^1.4.2, ^2.27.1, etc.) without upper bounds. This allows pip to install newer versions that could contain vulnerabilities. `pandas>=1.4.2 reportlab>=4.0.9 requests>=2.27.1` → Pin exact versions (==) or narrow ranges for production deployments. Use tools like pip-compile or pipenv to generate a locked requirements file.	`mrmrmr/requirements.txt:1`
Info	Baidu Analytics tracking pixel in web_demo.py web_demo.py includes a Baidu Analytics (hm.baidu.com) tracking script. This makes outbound HTTP requests to a third-party analytics service on every page load of the web UI. `hm.src = "https://hm.baidu.com/hm.js?d8a4c130d7263e954bf9df2496e692c3"` → Remove Baidu Analytics from web_demo.py for privacy compliance, or at minimum document it in SKILL.md.	`mrmrmr/web_demo.py:480`
Info	IDE deployment config with hardcoded IPs and passwords mrmrmr/.idea/deployment.xml contains SSH credentials with IP addresses (192.168.1.119, 172.25.18.14, etc.) and password references. These are IDE configuration files, not runtime code, but could leak if the package is distributed. `<paths name="[email protected]:22 password">` → Remove .idea/ directory from distributable packages. Add it to .gitignore.	`mrmrmr/.idea/deployment.xml:33`
Info	curl\|sh installation instructions in README.md README.md:58 contains 'curl -fsSL https://ollama.com/install.sh \| sh' for Ollama installation. This is standard Ollama setup documentation and is mentioned in SKILL.md's Ollama support section, though the actual execution command is in README.md not SKILL.md. `curl -fsSL https://ollama.com/install.sh \| sh` → Document the Ollama installation requirement explicitly in SKILL.md rather than relying on README.md.	`mrmrmr/README.md:58`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	agent_tool.py:379 writes R scripts; agent_workflow.py:921 creates output directo…
Shell	`WRITE`	`WRITE`	✓ Aligned	agent_tool.py:382,483,672 uses os.system('R --slave ...') to execute dynamically…
Network	`READ`	`READ`	✓ Aligned	agent_tool.py makes HTTP requests to PubMed (Entrez), OpenGWAS (gwas.mrcieu.ac.u…
Environment	`READ`	`READ`	✓ Aligned	run_mragent.py:49 reads OPENAI_API_KEY and OPENGWAS_JWT; gwas_token passed to MR…
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation observed
Clipboard	`NONE`	`NONE`	—	No clipboard access found
Browser	`NONE`	`NONE`	—	No browser automation found
Database	`NONE`	`NONE`	—	No direct database connections found

1 Critical 1 High 37 findings

💀

Critical Dangerous Command 危险 Shell 命令

curl -fsSL https://ollama.com/install.sh | sh

mrmrmr/README.md:58

📡

High IP Address 硬编码 IP 地址

172.25.18.14

mrmrmr/.idea/deployment.xml:33

🔗

Medium External URL 外部 URL

http://www.apache.org/licenses/

mrmrmr/LICENSE.txt:3

🔗

Medium External URL 外部 URL

http://www.apache.org/licenses/LICENSE-2.0

mrmrmr/LICENSE.txt:195

🔗

Medium External URL 外部 URL

https://doi.org/10.1093/bib/bbaf140

mrmrmr/README.md:2

🔗

Medium External URL 外部 URL

https://doi.org/10.5281/zenodo.14184396

mrmrmr/README.md:2

🔗

Medium External URL 外部 URL

https://huggingface.co/spaces/xuwei1997/MRAgent

mrmrmr/README.md:2

🔗

Medium External URL 外部 URL

https://p1bvxbwjxl0.feishu.cn/docx/L0ogdoDs5ofjIux6W6gct8E4nyd?from=from_copylink

mrmrmr/README.md:2

🔗

Medium External URL 外部 URL

https://www.python.org/

mrmrmr/README.md:27

🔗

Medium External URL 外部 URL

https://www.anaconda.com/download

mrmrmr/README.md:28

🔗

Medium External URL 外部 URL

https://www.r-project.org/

mrmrmr/README.md:30

🔗

Medium External URL 外部 URL

https://platform.openai.com/docs/overview

mrmrmr/README.md:47

🔗

Medium External URL 外部 URL

https://markdown.com.cn

mrmrmr/README.md:53

🔗

Medium External URL 外部 URL

https://ollama.com/install.sh

mrmrmr/README.md:58

🔗

Medium External URL 外部 URL

https://api.opengwas.io/

mrmrmr/README.md:66

🔗

Medium External URL 外部 URL

https://www.dropbox.com/s/5la7y38od95swcf/rf.rdata?dl=0

mrmrmr/README.md:102

🔗

Medium External URL 外部 URL

https://www.strobe-mr.org/

mrmrmr/README.md:125

🔗

Medium External URL 外部 URL

https://utexas.box.com/s/vkd36n197m8klbaio3yzoxsee6sxo11v

mrmrmr/README.md:133

🔗

Medium External URL 外部 URL

https://www.flaticon.com/

mrmrmr/README.md:279

🔗

Medium External URL 外部 URL

https://api.gpt.ge/v1/

mrmrmr/agent_workflow_demo.py:11

🔗

Medium External URL 外部 URL

https://gwas.mrcieu.ac.uk/datasets/?trait__icontains=

mrmrmr/mragent/agent_tool.py:170

🔗

Medium External URL 外部 URL

https://www.ncbi.nlm.nih.gov/research/bionlp/RESTful/pmcoa.cgi/BioC_json/[ID

mrmrmr/mragent/agent_tool.py:235

🔗

Medium External URL 外部 URL

https://www.ncbi.nlm.nih.gov/research/bionlp/RESTful/pmcoa.cgi/BioC_json/

mrmrmr/mragent/agent_tool.py:236

🔗

Medium External URL 外部 URL

https://gwas.mrcieu.ac.uk/files/

mrmrmr/mragent/agent_tool.py:618

🔗

Medium External URL 外部 URL

https://uts-ws.nlm.nih.gov/rest/search/current?apiKey=

mrmrmr/mragent/agent_tool.py:678

🔗

Medium External URL 外部 URL

https://uts-ws.nlm.nih.gov/rest/content/current/CUI/

mrmrmr/mragent/agent_tool.py:688

🔗

Medium External URL 外部 URL

https://www.ebi.ac.uk/gwas/rest/api/studies/search

mrmrmr/mragent/agent_tool.py:716

🔗

Medium External URL 外部 URL

https://www.ebi.ac.uk/gwas/rest/api/studies/

mrmrmr/mragent/agent_tool.py:777

🔗

Medium External URL 外部 URL

https://api.finngen.fi/api/phenos

mrmrmr/mragent/agent_tool.py:794

🔗

Medium External URL 外部 URL

https://api.finngen.fi/api/phenos/

mrmrmr/mragent/agent_tool.py:847

🔗

Medium External URL 外部 URL

https://gwas-api.mrcieu.ac.uk/search

mrmrmr/mragent/agent_tool.py:864

🔗

Medium External URL 外部 URL

https://integrate.api.nvidia.com/v1

mrmrmr/step_2_test_STROBE_MR.py:85

🔗

Medium External URL 外部 URL

https://hm.baidu.com/hm.js?d8a4c130d7263e954bf9df2496e692c3

mrmrmr/web_demo.py:480

📧

Info Email 邮箱地址

[email protected]

mrmrmr/.idea/deployment.xml:5

📧

Info Email 邮箱地址

[email protected]

mrmrmr/.idea/deployment.xml:12

📧

Info Email 邮箱地址

[email protected]

mrmrmr/mragent/agent_tool.py:31

📧

Info Email 邮箱地址

[email protected]

mrmrmr/pyproject.toml:5

File Tree

31 files · 230.0 KB · 5318 lines

Python 18f · 4530L Markdown 2f · 414L Text 2f · 210L XML 7f · 131L TOML 1f · 25L Ignore 1f · 8L

├─ ▾ 📁 mrmrmr

│ ├─ ▾ 📁 .idea

│ │ ├─ ▾ 📁 inspectionProfiles

│ │ │ ├─ 📄 profiles_settings.xml XML 5L · 174 B

│ │ │ └─ 📄 Project_Default.xml XML 34L · 1.6 KB

│ │ ├─ 📄 .gitignore Ignore 8L · 182 B

│ │ ├─ 📄 deployment.xml XML 62L · 1.9 KB

│ │ ├─ 📄 forwardedPorts.xml XML 12L · 353 B

│ │ ├─ 📄 misc.xml XML 6L · 282 B

│ │ ├─ 📄 modules.xml XML 7L · 266 B

│ │ └─ 📄 vcs.xml XML 5L · 180 B

│ ├─ ▾ 📁 mragent

│ │ ├─ 🐍 __init__.py Python 1L · 76 B

│ │ ├─ 🐍 agent_tool.py Python 921L · 31.0 KB

│ │ ├─ 🐍 agent_workflow_OE.py Python 27L · 1.5 KB

│ │ ├─ 🐍 agent_workflow.py Python 1102L · 47.0 KB

│ │ ├─ 🐍 LLM.py Python 40L · 1.3 KB

│ │ └─ 🐍 template_text.py Python 263L · 23.1 KB

│ ├─ 🐍 agent_workflow_demo.py Python 15L · 538 B

│ ├─ 🐍 agent_workflow_OE_demo.py Python 12L · 389 B

│ ├─ 📄 LICENSE.txt Text 201L · 11.1 KB

│ ├─ 📄 pyproject.toml TOML 25L · 604 B

│ ├─ 📝 README.md Markdown 278L · 15.1 KB

│ ├─ 🐍 step_1_test_out.py Python 173L · 6.2 KB

│ ├─ 🐍 step_1_test_SimCSE.py Python 163L · 5.8 KB

│ ├─ 🐍 step_2_test_STROBE_MR.py Python 91L · 3.8 KB

│ ├─ 🐍 step_2_test.py Python 80L · 2.6 KB

│ ├─ 🐍 step_5_test.py Python 144L · 4.6 KB

│ ├─ 🐍 step_9_test_out.py Python 199L · 8.5 KB

│ ├─ 🐍 step_9_test_prompt.py Python 415L · 26.2 KB

│ ├─ 🐍 step_9_test_SimCSE.py Python 83L · 2.4 KB

│ └─ 🐍 web_demo.py Python 486L · 16.3 KB

├─ 📄 requirements.txt Text 9L · 142 B

├─ 🐍 run_mragent.py Python 315L · 10.3 KB

└─ 📝 SKILL.md Markdown 136L · 6.5 KB

Dependencies 10 items

Package	Version	Source	Known Vulns	Notes
`pandas`	`^1.4.2`	pip	No	Version not pinned, caret range
`reportlab`	`^4.0.9`	pip	No	Version not pinned, caret range
`PyPDF2`	`^3.0.1`	pip	No	Version not pinned, note: PyPDF2 is superseded by pypdf
`numpy`	`^1.19.5`	pip	No	Version not pinned, caret range
`biopython`	`^1.82`	pip	No	Version not pinned, caret range
`requests`	`^2.27.1`	pip	No	Version not pinned, caret range; CVE-2023-32681 was in urllib, not requests
`openai`	`^1.6.1`	pip	No	Version not pinned, caret range
`ollama`	`^0.1.8`	pip	No	Version not pinned, caret range
`TwoSampleMR`	`unpinned`	R/CRAN	No	Auto-installed in R script without version constraint
`ieugwasr`	`unpinned`	R/CRAN	No	Auto-installed in R script without version constraint

Security Positives

✓ All network behavior (PubMed, OpenGWAS, NCBI, UMLS) is consistent with documented scientific functionality

✓ No data exfiltration to external IPs — API calls are all to legitimate biomedical databases

✓ No reverse shells, C2 infrastructure, or suspicious encoded payloads found

✓ No credential harvesting beyond declared API keys used for their intended services

✓ No hidden functionality — the codebase is a straightforward MR analysis pipeline

✓ API keys are only used to call the declared OpenAI and OpenGWAS APIs

✓ Filesystem write operations are limited to the designated output directory

✓ The .idea/ directory with credentials is not part of the main skill distribution

Scan Report

Findings 7 items

File Tree

Dependencies 10 items

Security Positives