Pharmaclaw Ip Expansion Agent
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is coherent for pharma IP analysis, with disclosed external API use and local report/database logging that users should handle carefully for confidential molecule data.
This skill appears safe to review as a purpose-built pharma IP analysis helper, but use it in an isolated environment and avoid sending confidential molecule, target, or portfolio data to public APIs unless approved. Review generated local files such as ip_portfolio.db, ip_report.md, ip_viz.png, and logs/ip_expansion.log because they may contain sensitive IP strategy information.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Therapeutic areas, keywords, or molecule-related terms may be sent to public third-party services during analysis.
The analysis workflow calls external USPTO and PubChem APIs using user-provided therapeutic/keyword inputs. This is disclosed and aligned with FTO/patent analysis, but it is still an external data flow.
resp = requests.post(url, json=q).json() ... pc_resp = requests.get(pubchem_url).json()
Use only data that your organization permits sending to USPTO/PubChem, or modify the workflow to use approved internal patent/chemistry sources for confidential projects.
Installing unpinned dependencies can produce different behavior over time or introduce supply-chain risk if packages are compromised.
The skill relies on Python packages that are documented only in SKILL.md and are not pinned or represented in an install spec. This is typical for an instruction-driven analysis skill, but users should verify package sources and versions.
Deps: `pip install rdkit-pypi requests pandas sqlite3 spacy scispacy`
Install dependencies in an isolated environment, pin known-good versions, and review any external model download before use.
Confidential patent strategy, molecules, or analysis results may remain on disk after a run.
The skill intentionally keeps local portfolio and log artifacts. This is purpose-aligned for portfolio tracking, but those files may persist sensitive IP analysis outputs.
DB: SQLite `ip_portfolio.db` ... Logging: To `logs/ip_expansion.log`.
Run the skill in a controlled project directory, protect the generated database/log/report files, and delete or archive them according to your data-retention policy.
Data from other agents may be incorporated into legal/IP analysis and reports, so inaccurate or unintended upstream data could affect conclusions.
The skill is designed to receive molecule and reaction data from other agents. This is coherent with its purpose, but the artifacts do not define additional validation or trust boundaries for chained agent inputs.
Input from Synthesis/chemistry-query: `{"smiles": [...], "reactions": [...]}` → Auto infringement check.Chain it only with trusted agents and review the exact JSON inputs before relying on generated IP or FTO recommendations.
If a user separately enables scheduled checks, the skill could run repeatedly and create/update local outputs without a fresh manual launch each time.
The documentation mentions scheduled autonomous portfolio monitoring, but the provided artifacts do not install a cron job or other persistence automatically.
Autonomous: Cron portfolio checks.
Enable any cron or scheduled run only deliberately, with a clear schedule, output location, and review process.