Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Vaccine Design Orchestrator
v1.0.0Use this skill when the user wants to evaluate a new nanoparticle vaccine candidate, redesign a computational screening workflow, define gate criteria, or pr...
⭐ 0· 111·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
SKILL.md describes a complex computational vaccine-design pipeline (sequence design, AlphaFold/ESMFold, Boltz-1/AF3, GROMACS MD, CpHMD, TI/FEP, etc.). The skill metadata declares no required binaries, no install, and no environment/credentials. For a skill that expects to run or orchestrate heavy ML/MD tools, omitting required tools, runtimes, or compute access is an inconsistency: either the agent is expected to actually run these tools (in which case required binaries / compute credentials should be declared) or the skill only produces plans/SOPs (which should be stated explicitly).
Instruction Scope
The SKILL.md stays on-topic (design, prediction, MD, gating, outputs). It does not instruct reading unrelated system files or exfiltrating data. However instructions are broad and sometimes assume the agent will execute intensive simulations (e.g., 'GROMACS 100 ns') without clarifying whether the agent should run them itself, dispatch jobs to a user/HPC, or only produce job scripts and SOPs. That ambiguity grants wide discretion to the agent and should be clarified.
Install Mechanism
Instruction-only skill with no install spec and no code files. Lowest technical install risk. There are no downloaded artifacts or install scripts to analyze.
Credentials
The workflow implies need for GPUs, MD engines, possibly HPC credentials, license keys, or cloud accounts for heavy compute, but the skill declares no required environment variables, credentials, or config paths. This mismatch is disproportionate: either declare the compute/auth requirements or limit the skill to generating non-executing artifacts (SOPs, scripts).
Persistence & Privilege
Skill is user-invocable, not always: true, and does not request to modify other skills or system settings. Autonomous invocation is allowed by default but not combined with other privilege escalation indicators.
What to consider before installing
Before installing or enabling this skill, consider the following:
- Clarify execution model: ask the skill author whether the agent will (A) only produce SOPs/job scripts and recommendations, or (B) actually execute AlphaFold/ESMFold/GROMACS/CpHMD/FEP jobs. If (B), do not enable until required binaries, cluster/cloud credentials, and access policies are explicitly declared.
- Verify tool availability and credentials: running the described pipeline typically requires installed ML/structure tools, GROMACS, GPU/HPC access, and possibly licensed software. Ensure you control any credentials and that the skill metadata lists them.
- Data and safety: the skill deals with computational vaccine design (potentially dual-use). Confirm how simulation data and sequence designs are stored, who can access them, and whether the skill will transmit outputs externally.
- Limit agent autonomy until clarified: because instructions are open-ended about execution, restrict autonomous invocation if you cannot verify compute targets and logging/audit controls.
- Ask the author for improved metadata: require explicit 'required binaries' and 'required env vars' (e.g., paths to tools, cluster scheduler credentials), and a clear statement whether the skill executes commands or only prepares scripts.
If the author can provide those clarifications and align metadata with the SKILL.md's real execution model, the coherence concerns should be resolved.Like a lobster shell, security has layers — review code before you run it.
latestvk979jsr4srcpdhgymwgta9bafn8366a9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.