Protein Struct Viz

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This appears to be a straightforward PyMOL script generator, but users should inspect generated .pml files and save them only to safe locations before running them.

Use this skill if you are comfortable running a local Python helper and PyMOL. Save generated scripts in a safe project folder, use trusted PDB/residue inputs, and review the .pml file before executing it in PyMOL.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI05: Unexpected Code Execution

Low

What this means

A generated file can change the PyMOL session and download/load structures when the user runs it.

Why it was flagged

The main output is executable PyMOL command text. This is expected for the skill's purpose, but running the generated file will execute PyMOL commands such as loading or fetching structures.

Skill content

The skill generates `.pml` script files that can be executed directly in PyMOL

Recommendation

Inspect the generated .pml file before running it, especially if any inputs came from an untrusted source.

#ASI02: Tool Misuse and Exploitation

Low

What this means

Malformed or untrusted inputs could produce an unexpected PyMOL script, and an unsafe output path could overwrite a local file.

Why it was flagged

User-controlled residue selections are interpolated into PyMOL command lines, and the output path is written as provided. This is purpose-aligned for a script generator, but it is not visibly constrained or validated.

Skill content

lines.append(f"select {sel_name}, {selection}")
...
output_path = Path(self.output)
output_path.write_text(script_content)

Recommendation

Use normal residue formats, keep output paths inside the project/workspace, and avoid passing untrusted strings directly into the generator.

#ASI04: Agentic Supply Chain Vulnerabilities

Info

What this means

The skill may not work unless Python and PyMOL are already installed, and the registry will not enforce that automatically.

Why it was flagged

The documentation states runtime prerequisites, while the registry/install metadata declares no required binaries or install spec. This is an operational metadata gap, not hidden installation behavior.

Skill content

- PyMOL (installed separately)
- Python 3.7+
- No Python package dependencies

Recommendation

Verify Python and PyMOL are installed from trusted sources before using the generated scripts.