Skillv1.0.0

ClawScan security

Variant Annotation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 28, 2026, 8:01 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches its stated purpose (querying ClinVar/dbSNP and producing ACMG-based annotations) but the README claims additional data sources and prediction tools (gnomAD, SIFT/PolyPhen/CADD, etc.) that are not clearly implemented in the shipped code — review before trusting outputs or uploading sensitive genomic data.
Guidance: This skill appears to genuinely query ClinVar and dbSNP and compute ACMG-style scores, but the documentation advertises additional data sources (gnomAD, ExAC, 1000 Genomes) and functional predictors (SIFT, PolyPhen, CADD) that the code does not clearly fetch or compute. Before installing or relying on it: - Do not treat outputs as clinical-grade without independent validation; this is not a substitute for professional genetic interpretation. - Review scripts/main.py fully (the repo content appears truncated in places) to confirm which external APIs are actually called and how allele frequencies/predictions are derived. - If you need gnomAD or CADD results, verify that those APIs or local database files are integrated — otherwise the tool may produce incomplete annotations. - Keep sensitive genomic data private: batch/VCF uploads contain health information. Confirm the tool only sends queries to NCBI endpoints and that you are comfortable with that network traffic. - If you plan to provide an NCBI API key, supply it via a secure mechanism (not hard-coded). - Consider running the script on test cases from references/example-variants.md to confirm expected outputs and to detect any missing evidence sources or mismatches between documentation and behavior.

Review Dimensions

Purpose & Capability: noteName/description and the code align on querying ClinVar and dbSNP via NCBI E-utilities and computing ACMG scores. However, SKILL.md promises population allele frequencies from gnomAD/ExAC/1000G and functional predictions (SIFT, PolyPhen, CADD). The provided code shows only NCBI E-utilities calls (ClinVar and dbSNP) and does not include integrations or downloads for gnomAD, ExAC, 1000 Genomes, or functional prediction APIs, so those claimed capabilities appear unimplemented or incomplete.
Instruction Scope: noteSKILL.md instructs local usage (importing the Python class or running the script) and mentions batch/VCF input. The runtime instructions and code only call NCBI endpoints; they do not instruct reading unrelated system files or external endpoints beyond NCBI. That scope is appropriate, but the doc's broad list of data sources and computed outputs is larger than what the code implements — the agent could therefore report values that are estimated or absent unless additional data-fetching is added.
Install Mechanism: okThis is instruction-only / script-based with no install spec and a minimal requirements.txt (dataclasses). No external installers, downloads, or unusual repository fetches are present — low install risk.
Credentials: okNo required environment variables or credentials are declared. The VariantAnnotator constructor accepts an optional NCBI API key (appropriate and optional for higher rate limits). No unrelated secrets or system config paths are requested.
Persistence & Privilege: okThe skill does not request 'always: true' and does not modify other skills or system-wide agent settings. It runs as a standalone script/class and does not demand persistent elevated privileges.