Skillv0.1.5

ClawScan security

Gene2ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 12, 2026, 3:22 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are internally consistent with a health-data API integration: it only requires a single service API key and the SKILL.md shows curl/API usage against gene2.ai endpoints and user-controlled uploads.
Guidance: This skill appears coherent for integrating a user's Gene2AI profile, but it deals with very sensitive health and genomic data. Before installing, consider: 1) Only provide the GENE2AI_API_KEY for the specific profile you intend the agent to access; use separate keys for family members. 2) Review Gene2.ai's privacy and retention policies and confirm you trust the service. 3) Expect the agent to be able to upload and retrieve medical documents and to reference profile data proactively after one confirmation within a session — if you want stricter controls, decline session-wide consent and require explicit asks. 4) If you enable daily briefings, check how the skill suggests scheduling them (cron/webhook) and where the API key will be stored; prefer ephemeral/session use or a secure secrets store and be ready to revoke the key if needed. 5) If you need higher assurance, ask the developer for the full SKILL.md (untruncated) and any privacy/security docs so you can confirm there are no unexpected endpoints or instructions.

Review Dimensions

Purpose & Capability: okName/description (genomic + clinical data access) align with the declared requirement: a single GENE2AI_API_KEY. The documented API endpoints and example usage in SKILL.md match the claimed functionality (query profile, upload documents, read metrics).
Instruction Scope: noteThe instructions permit uploading personal health documents, reading the bound profile, and setting up daily briefings. Those actions are expected for this purpose, but they are privacy-sensitive: the skill explicitly instructs the agent to proactively reference profile data after one-time user permission within the same session, which can lead to automatic use in future health-adjacent messages unless the user declines. Review any sections that instruct creation of scheduled jobs or persistent storage of tokens (these are expected for daily briefings).
Install Mechanism: okInstruction-only skill with no install spec and no code files — nothing is downloaded or written to disk by the skill bundle itself, which is the lowest install risk.
Credentials: okOnly one environment variable (GENE2AI_API_KEY) is required and is logically the primary credential for the described API operations. The SKILL.md references this key only for API calls to gene2.ai and the profile-scoped nature of keys is documented.
Persistence & Privilege: noteThe skill is not always-enabled and does not request elevated platform privileges. However, it instructs the agent to remember user consent for the remainder of a session and to perform scheduled briefings (implying setup of a scheduler/cron). Users should be aware that session-level consent allows proactive use of sensitive health data without repeated prompts during that session.