Clarity Annotate
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to do what it says—submit and list Clarity Protocol protein-variant annotations—but it uses a Clarity API key and can create remote records, so submissions should be reviewed first.
Install this only if you intend to let the agent list or submit Clarity Protocol annotations. Before any write, verify the fold ID, content, confidence, type, and agent ID, and only provide CLARITY_WRITE_API_KEY in an environment where you trust the agent to make those submissions.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with incorrect content, confidence, type, or fold ID, the agent could submit an unwanted or inaccurate annotation to Clarity Protocol.
The skill can create annotation records on a remote service. This is the stated purpose and is parameterized by user-supplied fields, but it is still a mutating external API action.
result = api_post(f"/variants/{args.fold_id}/annotations", { "agent_id": args.agent_id, "annotation_type": args.type, "confidence": args.confidence, "content": args.content, })Review the variant, annotation content, type, confidence level, and agent ID before allowing a submission.
Anyone or any agent able to use that environment variable through this skill could submit annotations under the authority of the configured Clarity key.
The client reads a local Clarity write API key and sends it to clarityprotocol.io for authenticated write operations. This is expected for the integration and the code does not show logging or unrelated use of the key.
api_key = os.environ.get("CLARITY_WRITE_API_KEY") ... headers["X-API-Key"] = api_keyUse a scoped Clarity key if available, expose it only in trusted sessions, and revoke or rotate it if it may have been misused.