Back to skill
Skillv0.1.0
ClawScan security
Intern PubChem Name Conversion · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 4, 2026, 8:29 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- Instructions, requirements, and external calls align with a PubChem-based name/SMILES/formula conversion tool; nothing disproportionate or unexpected is requested.
- Guidance
- This skill is coherent for converting and validating molecular representations via PubChem. Before enabling it, consider: (1) using it will send whatever molecule strings are provided to PubChem (do not submit proprietary or confidential compounds if data-sharing is a concern); (2) ensure curl and python3 are available in the runtime environment; and (3) the skill returns PubChem values verbatim, so downstream code should validate/normalize results if needed.
Review Dimensions
- Purpose & Capability
- okThe skill name and description match the runtime instructions: it queries PubChem PUG-REST to convert/validate IUPAC, SMILES, and molecular formula. Required binaries (curl, python3) are reasonable for making HTTP requests and URL-encoding.
- Instruction Scope
- noteAll instructions stay within the stated purpose and reference only PubChem endpoints. The skill will send user-provided molecule strings to pubchem.ncbi.nlm.nih.gov (expected for this task); it does not instruct reading local files, other environment variables, or unrelated system state. Note: user inputs are transmitted to an external API (PubChem).
- Install Mechanism
- okNo install spec and no code files — instruction-only skill. This is low-risk: nothing is written to disk or downloaded by the skill.
- Credentials
- okThe skill requests no credentials, no config paths, and only requires curl and python3. There are no extraneous or unrelated environment variables or secrets requested.
- Persistence & Privilege
- okalways is false and the skill does not request persistent/privileged presence or modify other skills. Normal autonomous invocation is allowed by platform defaults but is not a special privilege here.