ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Protein Docking Configurator

v1.0.0

Prepare input files for molecular docking software, automatically determine Grid Box center and size. Supports AutoDock Vina, AutoDock4, and other mainstream...

0· 36·0 current·0 all-time
byAIpoch@aipoch-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md usage examples, and the included scripts/main.py all align: the code parses PDB files, computes centers/bounding boxes, and writes AutoDock Vina/AutoDock4 config files. No unrelated credentials, binaries, or network access are requested.
Instruction Scope
SKILL.md instructs the agent to read user-provided PDB/ligand files and write configuration outputs—this is expected. However, the code opens arbitrary file paths provided by the user (no explicit sanitization of path traversal like '../'), and the SKILL.md lists a security checklist but does not guarantee the implementation enforces those checks. That means a malicious or accidental path could cause the script to read unexpected files if run with broad permissions.
Install Mechanism
This is an instruction-only skill with a bundled Python script (no install spec), so nothing is automatically downloaded or installed. There is an inconsistency in SKILL.md: the Dependencies section lists 'numpy' while the Prerequisites section states 'No additional Python packages required'. The provided code excerpts do not show a clear numpy usage; confirm whether numpy is actually needed.
Credentials
The skill does not request environment variables, credentials, or access to unrelated services. Its filesystem usage (reading receptor/ligand files, writing config files) is proportionate to the stated purpose.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform privileges. It writes output files to the workspace, which is normal for a CLI/module tool.
What to consider before installing
This skill mostly does what it says, but take these precautions before installing or running it: - Dependency check: Confirm whether numpy is actually required. The SKILL.md inconsistently lists numpy but also says no extra packages are needed. Install only the packages the code truly uses. - Path-safety: The script reads files by path without explicit sanitization. Run it in a restricted/sandboxed workspace and avoid giving it paths to sensitive system files. Prefer running it inside a container or VM with limited filesystem access. - Inspect full code: The file excerpt appears benign, but review the remainder of scripts/main.py (the provided file was truncated) for any network calls, subprocess.exec usage, or writing outside expected output paths before trusting it on sensitive inputs. - Test with non-sensitive example files first to verify behavior and outputs. - Consider adding or enforcing input validation (reject '../' traversal), and run the script under a user account with minimal privileges. If you want, I can scan the complete scripts/main.py for network/subprocess calls and any other risky patterns, or produce a short checklist/command set to run it safely in a sandbox.

Like a lobster shell, security has layers — review code before you run it.

latestvk976v7rxd5t6kx02rk1m34fawn83y151

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments