v1.0.0

BioFlow

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:27 AM.

Analysis

BioFlow is a coherent instruction-only API quickstart, but users should take care because it involves account login, bearer tokens, dataset upload/download, and task submission.

GuidanceBefore installing or using this skill, verify the correct BioFlow API host, use only intended account credentials and datasets, and confirm before any upload or task submission that could expose data or consume account credits.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

agents/openai.yaml

Use this skill to explain and execute BioFlow API flow: signup/login, dataset upload/download, balance check, task submission, job polling, and result retrieval.

The skill may guide an agent through remote API actions that upload data and submit jobs. This matches the stated purpose, but the user should approve real uploads or task runs.

User impactIf used to execute the examples, the agent could create or use a BioFlow account, upload datasets, and start analysis jobs.

RecommendationOnly provide datasets, workspace IDs, and job parameters you intend to use, and confirm before running API calls that may consume credits or change account state.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

references/api-call-flow.md

Response: save `access_token` + `refresh_token`.

The API flow requires BioFlow authentication tokens. This is purpose-aligned for a protected API, but tokens are sensitive account credentials.

User impactAnyone with the access or refresh token may be able to act as the BioFlow user within the token's permissions.

RecommendationUse tokens only for the intended BioFlow host, avoid sharing them in public chats or logs, and revoke or rotate them if exposed.