PharmaClaw Pharmacology Agent
Security checks across malware telemetry and agentic risk
Overview
The skill appears to perform the advertised pharmacology profiling, but users should notice that one script can send molecule SMILES to an external ADMETlab service and the package has limited provenance metadata.
This skill looks appropriate for SMILES-based pharmacology profiling. Before installing or using it on confidential molecules, decide whether external ADMETlab API submission is acceptable; otherwise prefer the local RDKit-based workflow and use a trusted Python environment for dependencies.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A confidential drug-candidate structure could be shared with a third-party service during ADME/Tox prediction.
When this helper is used, the submitted SMILES string is sent to an external ADMETlab endpoint. This is disclosed and purpose-aligned, but candidate molecule structures can be sensitive.
ADMETLAB_URL = "https://admetlab3.scbdd.com/service/evaluation" ... resp = requests.post(f"{ADMETLAB_URL}/alogps", json=payload, timeout=TIMEOUTUse the local RDKit-only entry point when confidentiality matters, or confirm the external service terms before allowing API-based prediction.
It may be harder to verify the publisher/source and ensure the runtime dependencies are installed from trusted locations.
The package does not provide a source homepage or install specification. This is not evidence of malicious behavior, but it gives users less provenance and setup information to verify.
Source: unknown; Homepage: none ... Install specifications: No install spec — this is an instruction-only skill.
Review the bundled scripts and install required Python packages such as RDKit and requests only from trusted package sources or a controlled environment.