ClawHub
Back to skill
v1.0.7

Paramus Professional Chemistry OS

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:45 AM.

Analysis

This is a coherent chemistry API skill, but it strongly pushes Paramus API use and may send chemistry inputs to Paramus cloud when local mode is unavailable.

GuidanceThis skill appears purpose-aligned for chemistry and scientific calculations. Before using it, verify you trust Paramus, protect the API token, and use local mode for confidential molecules, formulations, or datasets. If local mode is unavailable, only allow cloud calls for data you are comfortable sending to Paramus.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack
SeverityLowConfidenceHighStatusNote
SKILL.md
When the user asks ANY chemistry, molecular, thermodynamics, materials science, or scientific calculation question, you MUST call the Paramus API. Do NOT answer from your own knowledge.

The skill explicitly forces tool use for a broad class of questions and suppresses direct model answers. This is aligned with a calculation API skill, but users should notice the broad routing behavior.

User impactThe agent may call Paramus for many chemistry or science questions instead of answering locally.
RecommendationUse this skill when you want Paramus-backed calculations, and tell the agent not to use cloud calls for questions or data you want kept local.
Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
"params":{"name":"direct_call","arguments":{"toolName":"calculate_molecular_weight","toolArguments":{"smiles":"CCO"}}}

The skill documents a generic JSON-RPC direct_call mechanism for invoking Paramus tools. This is central to the skill’s purpose, but it is a broad remote tool interface.

User impactThe agent can invoke provider-supported scientific tools through a generic API endpoint using user-provided inputs.
RecommendationFor sensitive or high-value work, review which tool is being called and prefer local mode where possible.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
export PARAMUS_AUTH="Authorization: Bearer $PARAMUS_API_TOKEN"

Cloud access uses a bearer token. This is expected for an authenticated API integration and the token is declared as the primary credential.

User impactAnyone with the token may be able to use the user’s Paramus cloud access according to Paramus account permissions.
RecommendationStore the token only as an environment variable or secret, avoid pasting it into chats, and rotate it if exposed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
Cloud mode (cloud1.paramus.ai): Chemical data is sent to Paramus servers for processing. Use only if user consents to external API calls.

The skill clearly discloses an external provider data flow. Chemical structures, formulations, or datasets may be sensitive, so the consent and local-mode guidance matters.

User impactProprietary molecules, formulations, or scientific datasets could leave the user’s device when cloud mode is used.
RecommendationUse localhost mode for confidential work, and only allow cloud mode after confirming the data is safe to send to Paramus.