Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Bio-Ontology Mapper
v1.0.0Map unstructured biomedical text to standardized ontologies (SNOMED CT.
⭐ 0· 26·0 current·0 all-time
byAIpoch@aipoch-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description and SKILL.md describe an ontology mapper (SNOMED, MeSH, ICD-10, LOINC, RxNorm, HGNC). The packaged code implements local SNOMED/MeSH matching and includes clients for UMLS (UTS) and MeSH APIs. However the skill metadata declared no required env vars or credentials, yet the code will use an environment variable UMLS_API_KEY if present. Also the broad multi-ontology claims (LOINC, RxNorm, HGNC, ICD-10 cross-mapping) are described in SKILL.md but the visible code primarily implements SNOMED and MeSH (UMLS could enable other cross-maps but that requires API access). This mismatch between advertised capabilities and the actual implementation is inconsistent and unexplained.
Instruction Scope
SKILL.md is focused and instructs to run the packaged script, compile it, and validate inputs/CONFIG before execution. It does not instruct the agent to read unrelated system files. However it omits mentioning that the script can make outbound calls to external APIs (UMLS UTS and NLM MeSH), and it does not declare the UMLS_API_KEY env var which the script will read if available. The runtime instructions are otherwise scoped to the mapping task.
Install Mechanism
No install spec — the skill is instruction-plus-code and does not download external installers. This is the lower-risk model for installation. The code is packaged in the skill repository rather than fetched at runtime.
Credentials
Registry/metadata declare no required environment variables or primary credential, but scripts/main.py reads UMLS_API_KEY from the environment and will use it if present. The skill will make network requests to UMLS and MeSH APIs; providing the UMLS_API_KEY grants it access to the UMLS service. requirements.txt also lists 'dataclasses' and 'difflib' (both standard library in Python 3.10), which is odd but harmless. The undeclared credential requirement (UMLS_API_KEY) and network access are disproportionate to the metadata/manifest and should be made explicit before use.
Persistence & Privilege
The skill does not request persistent privileges, does not set always:true, and does not include install steps that modify system-wide settings. Autonomous invocation is allowed (platform default) but is not combined with elevated persistence in this package.
What to consider before installing
This skill appears to implement local SNOMED/MeSH mapping and optionally calls UMLS and MeSH web APIs. Before installing or running it:
- Review scripts/main.py fully (it performs outbound HTTP requests to UMLS UTS and NLM MeSH).
- If you will provide an API key, be aware the code reads UMLS_API_KEY from the environment — the registry metadata does NOT list this, so treat providing the key as granting the skill access to that service. Use a scoped, auditable key if possible.
- Verify whether you need the remote API: you can run the mapper in offline/local mode (the code supports local reference files) if you want to avoid network calls and exposing sensitive text externally.
- Confirm whether the broader ontology features advertised (ICD-10, LOINC, RxNorm, HGNC, cross-mapping) are actually implemented for your workflow; the visible code mainly covers SNOMED and MeSH.
- Because the source/homepage are unknown, prefer running the script in a sandboxed environment and testing with non-sensitive sample data (the repository includes sample reference files) before using it on real clinical data.Like a lobster shell, security has layers — review code before you run it.
latestvk970qhdvxwfwy74gdc7qnwm1j98431gd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.