Back to skill
Skillv1.0.0
ClawScan security
Clarity Clinical · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 25, 2026, 8:32 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are consistent with its stated purpose of querying ClinVar/gnomAD via Clarity Protocol; it only needs optional CLARITY_API_KEY and internet access and does not request unrelated credentials or system access.
- Guidance
- This skill appears to do what it claims: call clarityprotocol.io to retrieve ClinVar/gnomAD-derived annotations. Before installing, confirm you are comfortable with the agent making outbound requests to https://clarityprotocol.io. If you plan to use an API key, store CLARITY_API_KEY securely; the key is only sent as an X-API-Key header to the Clarity Protocol domain. Ensure your environment has Python and the requests package available. If you will query sensitive patient data or PHI, be mindful that any variant identifiers you submit will go to the third-party API — avoid sending protected health information unless your usage complies with your policies and local regulations.
Review Dimensions
- Purpose & Capability
- okName/description (clinical variant queries) align with the included client and query scripts. The API_BASE, endpoints, and declared rate limits match the stated functionality; no unrelated services or credentials are requested.
- Instruction Scope
- okSKILL.md and scripts only direct the agent to call the Clarity Protocol API and format results. The instructions do not read unrelated system files, environment variables beyond optional CLARITY_API_KEY, or send data to unexpected endpoints.
- Install Mechanism
- noteThere is no install spec (instruction-only + included scripts), which minimizes installer risk. The scripts import the Python requests library but the skill does not declare dependencies — user environment must have Python and requests available. This is an operational note rather than a security incoherence.
- Credentials
- okOnly an optional CLARITY_API_KEY is referenced (used to raise rate limits). No other secrets, keys, or unrelated environment variables are required or accessed.
- Persistence & Privilege
- okThe skill is not always-enabled, does not request persistent system modifications, and does not attempt to modify other skills or global agent settings. It performs outbound API calls only when invoked.