NoahAI clinical-trial query
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: clinical-trail Version: 1.0.8 The skill provides a legitimate interface for searching clinical trial data via the NoahAI API. It uses a Python script (scripts/search.py) to send structured JSON queries to a hardcoded HTTPS endpoint (noah.bio) using an environment-provided API token. No evidence of data exfiltration, malicious execution, or harmful prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and using the skill requires trusting the Noah API service with a valid API token.
The skill requires a Noah API token and sends it as a bearer token for API authentication. This is expected for the stated integration, and the code does not show token logging or unrelated use.
api_token = os.environ.get("NOAH_API_TOKEN", "").strip()
...
"Authorization": f"Bearer {api_token}"Use a scoped, revocable token if available, and remove or rotate it if you no longer use the skill.
Clinical-trial search terms may be transmitted to Noah's service and may also appear in local logs or agent output streams.
The script sends the structured clinical-trial query to an external Noah API endpoint and prints the query payload to stderr. This is purpose-aligned, but clinical search terms can reveal user interests or health-related context.
api_url = r"https://www.noah.bio/api/skills/clinical_trial_search/"
...
print(f"[INFO] Query payload:\n{json.dumps(payload, indent=2)}", file=sys.stderr)
...
requests.post(api_url, headers=headers, json=payload, timeout=30, allow_redirects=False)Avoid including unnecessary personal health details in queries, and review Noah's privacy and retention terms before using sensitive searches.
The skill may not run until an additional Python package is installed, and that package installation is outside the declared install flow.
The script depends on the Python requests package and suggests a manual pip install if it is missing, while the provided install information only declares python3. This is a normal dependency pattern but is not captured in an install spec.
try:
import requests
except ImportError:
print("[ERROR] Missing dependency: requests\nInstall it with: pip install requests", file=sys.stderr)Install dependencies from trusted package sources and consider pinning requests in a local environment if you need reproducible setup.