Phenosnap Phenotype Extractor
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill’s clinical-text purpose is coherent, but it downloads unpinned third-party code and auto-installs Python tooling/dependencies at runtime before handling sensitive health text.
Review this skill before installing if you are uncomfortable with automatic GitHub downloads or pip installation. Run it in a dedicated virtual environment, provide only de-identified clinical text, and delete the generated local artifacts when finished.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The code that processes the user’s clinical text could change over time or be affected by upstream compromise before the user sees it.
The skill fetches third-party code from a mutable GitHub repository/branch at runtime, with no pinned commit, release version, or hash verification shown.
`git clone https://github.com/WGLab/PhenoSnap.git "{baseDir}/PhenoSnap"` ... `https://github.com/WGLab/PhenoSnap/archive/refs/heads/main.zip`Pin PhenoSnap to a reviewed release or commit, verify checksums, and disclose the exact version being installed before running it.
Running the skill may install or execute code on the user’s machine and could modify the Python environment, especially outside a virtual environment.
The skill is instruction-only but directs runtime bootstrapping and package/tool installation. This is related to the purpose, but it is high-impact local execution without clear isolation or approval steps.
- Automatically bootstraps PhenoSnap (git clone or zip fallback) - Auto-installs Python dependencies if missing - Handles pip installation if pip is not present
Ask for explicit user approval before downloads or installs, require a virtual environment, and avoid installing pip/dependencies globally.
Sensitive health-related information may remain on disk after the task, even if obvious identifiers are redacted.
The skill intentionally persists redacted clinical input and extracted phenotype/medication output to local files.
Input text file (redacted): `{baseDir}/artifacts/phenosnap_inputs/input_<YYYYMMDD_HHMMSS>.txt` ... Output JSON file ... `{baseDir}/artifacts/phenosnap_outputs/phenotypes_<YYYYMMDD_HHMMSS>.json`Use only with text you are comfortable storing locally, review outputs before sharing them, and delete generated artifacts when no longer needed.