Clarity Clinical

PassAudited by ClawScan on May 1, 2026.

Overview

The skill does what it says—queries a disclosed clinical-variant API—with only minor things to notice around the optional API key and limited provenance metadata.

This appears reasonable for a clinical-variant lookup skill. Before installing, note that queries go to clarityprotocol.io, and only set CLARITY_API_KEY if you are comfortable sharing that key with the service.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI03: Identity and Privilege Abuse

What this means

If you set CLARITY_API_KEY, the Clarity Protocol service receives that key along with your clinical variant queries.

Why it was flagged

The script reads an optional API key from the environment and sends it as a header to the Clarity Protocol API. This is disclosed and purpose-aligned, but users should recognize it as credential use.

Skill content

api_key = os.environ.get("CLARITY_API_KEY")
if api_key:
    headers["X-API-Key"] = api_key

Recommendation

Use a dedicated, revocable API key and avoid including unnecessary personal health identifiers in queries.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Users have less registry-provided context about who published the package or where to verify it.

Why it was flagged

The registry-level provenance information is limited, even though the skill itself names Clarity Protocol and includes readable source files.

Skill content

Source: unknown
Homepage: none

Recommendation

Review the included source before use and prefer installing from a trusted publisher or verified homepage when available.