NoahAI drug pipeline
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears to do what it says: it sends drug-search queries to Noah's API using a required API token, with only normal credential, external-service, and dependency-provenance cautions.
Before installing, make sure you trust the Noah API service and the skill publisher, provide only an appropriate limited-scope `NOAH_API_TOKEN`, and avoid submitting sensitive or proprietary drug-research queries if you do not want them sent to the external API.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone installing the skill must provide a Noah API token, so misuse of the environment or token could affect that API account.
The script uses the required environment token as a bearer credential for the Noah API. This is expected for the skill, but it gives the skill access to that API account or quota.
api_token = os.environ.get("NOAH_API_TOKEN", "").strip() ... "Authorization": f"Bearer {api_token}"Use a token with the minimum needed access, keep it out of logs and shared environments, and revoke it if the skill is no longer used.
Confidential research interests, company names, targets, or indications included in a query may be visible to the external service.
Drug search terms and structured query parameters are sent to an external API endpoint. This is the core function of the skill, but users should understand that their query content leaves the local environment.
api_url = r"https://www.noah.bio/api/skills/drug_search/" ... requests.post(api_url, headers=headers, json=payload, timeout=30, allow_redirects=False)
Avoid submitting proprietary or sensitive queries unless you are comfortable sharing them with the Noah API service and its privacy terms.
If the dependency is missing, the user may need to install a Python package, which introduces ordinary package-source trust considerations.
The skill has no install spec but depends on the external `requests` package if it is not already installed. The artifact only suggests manual installation; it does not automatically download or run code.
except ImportError:
print("[ERROR] Missing dependency: requests\nInstall it with: pip install requests", file=sys.stderr)Install dependencies from trusted package indexes in a controlled environment, and verify the publisher/source because the registry listing has limited provenance information.