ClawHub

Pharmaclaw Chemistry Query

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed chemistry toolkit with public database lookups and optional verified Java helper use, and I found no evidence of hidden data theft or destructive behavior.

Install only if you are comfortable running a local Python/RDKit chemistry toolkit that can contact public chemistry/literature services, create local output files, and optionally download and run a checksum-verified OPSIN Java tool. Avoid using proprietary compound names, unpublished structures, or sensitive research terms with external lookup features.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
warnings.append(proc.stderr.strip())

        # Draw
        proc = subprocess.run(
            [sys.executable, os.path.join(script_dir, 'rdkit_mol.py'),
             '--smiles', canonical_smiles, '--action', 'draw', '--output', png_path],
            cwd=script_dir, capture_output=True, text=True, timeout=30)
Confidence
83% confidence
Finding
proc = subprocess.run( [sys.executable, os.path.join(script_dir, 'rdkit_mol.py'), '--smiles', canonical_smiles, '--action', 'draw', '--output', png_path],

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The script expands the skill beyond its declared PubChem/RDKit-focused scope by performing ChEMBL bioactivity and mechanism queries. That mismatch is dangerous because users, reviewers, and policy controls may rely on the manifest to understand and constrain external data sources; undeclared capabilities reduce transparency and can bypass governance, allow unexpected data flows, or enable higher-risk chemistry assistance than intended.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script downloads and persists an executable JAR at runtime from an external source, which expands the skill's capabilities beyond its declared scope and introduces a supply-chain/bootstrap trust boundary. Although the SHA-256 pin substantially reduces tampering risk, this still creates operational and security exposure through network dependency, implicit code fetching, and execution of newly downloaded code on the host.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The code invokes Java to execute a local JAR, adding an undeclared runtime and execution capability outside the manifest's stated PubChem/RDKit scope. In isolation this is not obviously malicious, but it increases attack surface because the skill can run external code and relies on the safety of both the Java runtime and the fetched OPSIN artifact.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
This script performs PubMed literature search and retrieval, which is outside the declared PubChem/RDKit-focused scope of the skill. Scope drift increases security and governance risk because users and reviewers may not expect biomedical literature access, and unadvertised capabilities can expand data exposure, compliance obligations, and misuse potential.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger list is extremely broad (e.g., chemistry, compounds, molecules, reactions, synthesis), which increases the chance of accidental invocation on loosely related prompts. In this context that is more dangerous because the skill can perform networked lookup, synthesis/retrosynthesis assistance, and file-generating operations, so over-triggering can expose users to unintended capabilities or route queries into a dual-use chemistry workflow.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
When a non-SMILES target is provided, the code forwards that user-supplied compound name to query_pubchem.py, which by design performs a PubChem lookup over the network. There is no user-facing disclosure, consent gate, or indication in output that input may be transmitted externally, creating a privacy/data-handling issue if sensitive research targets or proprietary compound names are supplied.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal