ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ScienceClaw: Local File Investigation

v1.0.2

Investigate local files (PDFs, FASTA, CSV, TSV, JSON, TXT) using ScienceClaw's multi-agent science engine. Accepts files shared in chat or paths on disk, ext...

1· 154·0 current·0 all-time
byFiona Wang@fwang108
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description claim local file investigation via ScienceClaw; SKILL.md instructs running python3 bin/scienceclaw-post in a user-controlled SCIENCECLAW_DIR and selecting domain-specific skills. Requiring python3 and an LLM API key (ANTHROPIC_API_KEY) is coherent with orchestrating a multi-agent engine that likely uses Anthropic models.
Instruction Scope
Instructions explicitly tell the agent to read user-supplied files and workspace memory.md, activate a project's .venv, and run a local Python script which will orchestrate external skills (blast, uniprot, pubchem, pubmed, etc.). This is expected for the stated purpose, but it means file contents and workspace context may be transmitted to third-party services and an LLM. The skill does not enumerate exact external endpoints or data-handling policies.
Install Mechanism
Instruction-only skill with no install spec (no downloads or archives). Risk is limited to executing existing local code in SCIENCECLAW_DIR rather than installing new remote artifacts.
Credentials
Only ANTHROPIC_API_KEY is declared as the primary credential, which is plausible for an LLM-driven engine. The SKILL.md also relies on SCIENCECLAW_DIR and a .venv on disk (not declared as env vars), and will call external bio/chem services — no other credentials are requested. Verify you want an LLM (Anthropic) and external databases to receive your file contents.
Persistence & Privilege
always:false and no instructions to modify global agent configuration. The skill runs on demand and does not request permanent platform presence or elevated privileges.
Assessment
This skill is internally consistent with its description, but it runs a local Python program (bin/scienceclaw-post) from a directory you must already have on disk and will likely send file contents and workspace context to an LLM (Anthropic) and external science services (BLAST, UniProt, PubChem, PubMed, PDB, etc.). Before installing/using: 1) Inspect the SCIENCECLAW_DIR and the bin/scienceclaw-post script (and the .venv) so you understand what code will run locally. 2) Confirm you are comfortable with the file types being uploaded/shared with external services and an LLM — do not use this on sensitive data or regulated biological sequences without review. 3) If you lack the local ScienceClaw install, the instructions will fail rather than silently download code — prefer to run it in a sandboxed environment first. 4) Consider removing or rotating ANTHROPIC_API_KEY if you only want local, offline analysis. If you want a higher-assurance recommendation, provide the contents of bin/scienceclaw-post (or the project's README) so its network calls and data handling can be inspected.

Like a lobster shell, security has layers — review code before you run it.

biologyvk97c2g5pqvfjctg65btwkzcann834w47chemistryvk97c2g5pqvfjctg65btwkzcann834w47latestvk97c2g5pqvfjctg65btwkzcann834w47multi-agentvk97c2g5pqvfjctg65btwkzcann834w47pubmedvk97c2g5pqvfjctg65btwkzcann834w47researchvk97c2g5pqvfjctg65btwkzcann834w47sciencevk97c2g5pqvfjctg65btwkzcann834w47scienceclawvk97c2g5pqvfjctg65btwkzcann834w47

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📂 Clawdis
Binspython3
Primary envANTHROPIC_API_KEY

Comments