GO/KEGG Enrichment
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its GO/KEGG enrichment purpose, but its script contains unsafe dynamic code execution and its online API behavior should be reviewed before use.
Review or patch scripts/main.py before running it, especially the eval() usage. If your gene list is sensitive, avoid online enrichment modes unless you are comfortable sending that data to the external provider. Prefer a controlled environment with pinned dependency versions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted analysis result or upstream data value could potentially cause the script to run unintended Python code on the user’s machine.
The script dynamically evaluates string content instead of safely parsing numeric ratios, creating a code-execution risk if untrusted or malformed result data reaches this code path.
lambda x: eval(x) if '/' in str(x) else float(x)
Replace eval() with safe parsing, such as splitting numerator and denominator on '/', validating both as numbers, and dividing them explicitly.
Gene lists from unpublished research or clinical contexts may leave the local machine when online APIs are used.
The tool supports an online enrichment mode, which may send user-provided gene lists to an external provider.
help="Use Enrichr API instead of local gseapy (faster, no download needed)"
Use local analysis for sensitive gene lists, or clearly confirm with the user before using Enrichr/KEGG online services.
Users may misunderstand whether their gene data is processed locally or shared with external enrichment services.
The documentation contains conflicting network-risk messaging: it describes API access elsewhere but the risk table says there are no external API calls.
This skill requires: ... KEGG REST API access ... | Network Access | No external API calls |
Clarify the documentation so it states exactly which modes contact KEGG, Enrichr, or other external services and what data is sent.
The skill’s behavior may change depending on which dependency versions are installed later.
Dependencies are specified with lower bounds rather than exact pinned versions, so future installs may pull different package versions.
pandas>=1.3.0 numpy>=1.20.0 gseapy>=1.0.0 matplotlib>=3.5.0
Pin dependency versions or provide a lockfile for reproducible installs, especially for workflows that run code locally.