Variant Annotation

PassAudited by ClawScan on May 1, 2026.

Overview

This appears to be a purpose-aligned variant annotation tool, with the main cautions being external NCBI lookups for potentially sensitive genetic data and optional use of an NCBI API key.

Use this skill only if you are comfortable sending variant identifiers or coordinates to NCBI for lookup. Do not include identifiable patient information unless you have permission, protect any optional NCBI API key, and treat clinical interpretations as research support that should be verified by qualified genetics or medical professionals.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence

ASI07: Insecure Inter-Agent Communication

What this means

Variant data entered by the user may be sent to NCBI servers for lookup.

Why it was flagged

User-provided variant queries are embedded into NCBI API requests. This is purpose-aligned, but variant identifiers, genomic coordinates, or VCF-derived data can be sensitive health/genetic information.

Skill content

encoded_query = quote(query) ... f"https://eutils.ncbi.nlm.nih.gov/entrez/eutils/esearch.fcgi?" ... f"db=clinvar&term={encoded_query}&retmode=json&retmax=10"

Recommendation

Use only when external database queries are acceptable; avoid submitting identifiable patient data unless permitted and disclose this external lookup behavior to users.

NoteHigh Confidence

ASI03: Identity and Privilege Abuse

What this means

If provided, an NCBI API key will be sent with NCBI requests for rate-limit handling.

Why it was flagged

The script can use an optional NCBI API key, even though registry metadata declares no primary credential. The key use is expected for NCBI rate limits and no storage or unrelated use is shown.

Skill content

def __init__(self, api_key: Optional[str] = None, delay: float = 0.34): ... if self.api_key: url = f"{url}&api_key={self.api_key}"

Recommendation

Use a dedicated, revocable NCBI key if needed, and avoid placing credentials in shared prompts, files, or logs.

NoteMedium Confidence

ASI02: Tool Misuse and Exploitation

What this means

A rate-limited request could take longer or repeat more than the user expects.

Why it was flagged

Rate-limit responses are retried recursively without an artifact-visible maximum retry count, which could cause a query to keep retrying longer than expected.

Skill content

except urllib.error.HTTPError as e:
    if e.code == 429:
        time.sleep(1)
        return self._ncbi_request(url)

Recommendation

Add a maximum retry count and exponential backoff, and surface rate-limit errors to the user.