Skillv0.1.0

ClawScan security

Variant Pathogenicity Predictor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

ReviewMar 13, 2026, 9:35 AM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The package claims VCF/gene-level processing and integration of multiple predictors, but the shipped code only implements a small local scoring routine for three numeric inputs — the documentation and code are inconsistent.
Guidance: This skill appears to be a draft with mismatched documentation and implementation. The code itself is simple and low-risk (no network, no credentials), but SKILL.md promises VCF parsing, gene context, and integration of additional predictors that are not implemented. Before installing or trusting results: (1) do not use this for clinical decisions — tests and validation are missing; (2) ask the author for the intended implementation or an updated release that actually parses VCFs and documents dependencies; (3) insist on input validation and path sanitization if file I/O is added; (4) inspect and test any future code that adds network calls or external data sources. Given the inconsistencies, treat this as incomplete/deceptive rather than malicious, but avoid relying on it until it is corrected and properly audited.

Purpose & Capability: concernName/description claim integrating REVEL, CADD, PolyPhen and 'other scores' and support for VCF/variant/gene inputs. The actual script only accepts numeric --revel, --cadd, --polyphen flags (and --demo) and returns a simple composite — it does not parse VCFs, handle gene context, or call SIFT/MutationTaster. The declared capabilities are therefore disproportionate to the delivered code.
Instruction Scope: concernSKILL.md shows CLI usage for --variant, --vcf, --gene and output report.json and includes a security checklist expecting input validation and file I/O protections, but scripts/main.py does none of that. The runtime instructions would lead users to expect file reading/writing and VCF processing that the code doesn't perform — a scope mismatch that could confuse users and lead to improper use.
Install Mechanism: okNo install spec and only a small Python script with standard-library usage (argparse/json). No external downloads or package installs are required, which is proportionate to the actual shipped code.
Credentials: okThe skill requests no environment variables, credentials, or config paths. That matches the provided script which runs locally and does not perform network access or require secrets.
Persistence & Privilege: okNo special persistence or elevated privileges requested (always: false, no installs). The skill does not modify system or other skill configuration.