Skillv1.0.0

ClawScan security

erobeng-master · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 7, 2026, 2:56 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose (querying and analysing DepMap data); it requests no credentials, installs nothing, and its instructions operate on DepMap APIs and downloadable data as expected.
Guidance: This skill appears to do exactly what it says — query and analyse DepMap data — and does not ask for credentials. Before using it: (1) ensure you trust network access to depmap.org and are willing to download potentially large datasets to disk; (2) review and correct any placeholder URLs and the small code issues (missing helper modules like depmap_utils and a non-existent false_discovery_control function) before running code; (3) make sure your environment has the usual Python packages (requests, pandas, numpy, scipy) or install the official depmap package if preferred. If you need to restrict network or disk usage, run analyses in a controlled environment (sandbox or VM).

Purpose & Capability: okName/description (DepMap querying and dependency analysis) matches the instructions: API examples, data download guidance, and local CSV analysis. No unrelated credentials or binaries are requested.
Instruction Scope: noteInstructions direct network calls to depmap.org and to download large DepMap/figshare files and write them to disk (expected for bulk analyses). The guidance also references helper modules (e.g., depmap_utils) and local files (CRISPRGeneEffect.csv, sample_info.csv) that are not bundled — callers must provide these. Minor issues: a placeholder figshare URL ('...') and a non-standard function name ('false_discovery_control') appear in reference code (likely bugs, not malicious).
Install Mechanism: okNo install spec or third-party downloads are embedded in the skill bundle — instruction-only skills carry minimal install risk. The skill expects standard Python libraries (requests, pandas, numpy, scipy) which are normal for this domain.
Credentials: okThe skill declares no required environment variables or credentials. There is no request for unrelated secrets or config paths; network access to depmap.org is necessary and proportionate to purpose.
Persistence & Privilege: okalways:false and no special persistence or system-wide modifications are requested. The skill does instruct writing downloaded datasets to disk (local file I/O) which is appropriate for offline analysis.