Clarity Submit

PassAudited by ClawScan on May 1, 2026.

Overview

This appears to be a straightforward Clarity Protocol submission skill, but users should notice that it sends hypothesis data to an external service and uses a Clarity write API key.

This skill looks coherent for submitting protein-variant hypotheses to Clarity Protocol. Before using it, verify that you trust Clarity Protocol with the submitted hypothesis details and any wallet address, set only the needed API key, and review each submission before it is sent.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI02: Tool Misuse and Exploitation

What this means

A hypothesis, rationale, optional disease area, and optional wallet address may be submitted to Clarity Protocol and processed by its remote workflow.

Why it was flagged

The script sends user-provided hypothesis fields to the Clarity API. This is expected for the skill, but it is an external write action.

Skill content

body = {
        "protein_name": args.protein,
        "variant_notation": args.variant,
        "rationale": args.rationale,
    }
...
    result = api_post("/hypotheses", body)

Recommendation

Confirm the exact hypothesis content before submission and avoid including confidential information in the rationale or optional fields.

Low

#ASI03: Identity and Privilege Abuse

What this means

Anyone running the submit command with this environment variable set allows the skill to make authenticated Clarity submissions under that key.

Why it was flagged

The skill reads a write API key from the environment and attaches it to Clarity API requests. This is purpose-aligned, but it is credential use.

Skill content

api_key = os.environ.get("CLARITY_WRITE_KEY")
...
        headers["X-API-Key"] = api_key

Recommendation

Use a scoped Clarity write key if available, keep it out of logs and shared shells, and revoke or rotate it if it is exposed.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Install-time metadata may understate what configuration is needed to use the skill.

Why it was flagged

The skill document discloses a required write credential, while the registry metadata lists no required env vars or primary credential. This is an incomplete metadata declaration rather than hidden behavior.

Skill content

Requires CLARITY_WRITE_KEY env var for write access.

Recommendation

Review SKILL.md as well as registry metadata before installing, and verify that the Clarity Protocol source is one you trust.