Skillv0.1.0

ClawScan security

ClawBio Orchestrator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewFeb 25, 2026, 6:05 PM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill's purpose and code are broadly coherent for a bioinformatics orchestrator, but there are mismatches between the SKILL.md's safety promises and what the shipped code enforces, plus an unclear install mechanism and unnecessary package installs.
Guidance: This orchestrator mostly does what it says, but review a few things before installing: - Source and provenance: the registry metadata points to a homepage but 'Source' is unknown; verify the GitHub repo and integrity of the package before trusting it. - Safety promises vs implementation: SKILL.md promises to refuse paths outside the working directory and to never upload genomic data without explicit consent, but the shipped orchestrator.py does not enforce those restrictions. Assume the code will read any file path you pass and will write logs/reports to the specified output directory unless you sandbox it. - Install mechanism: the install uses 'uv' to add biopython and pandas. Clarify what 'uv' means in your environment (pip/conda/wrapper?) and whether these packages are actually needed — unnecessary installs increase attack surface. - File handling: the tool computes SHA-256 checksums by reading files end-to-end, which can read large/genomic files into the runtime; be cautious about giving it sensitive patient/genomic data without explicit consent and isolation. - Sub-skill trust: the orchestrator lists and routes to many sub-skills (vcf-annotator, seq-wrangler, etc.). Those sub-skill directories and their SKILL.md/code determine the real behavior for operations like annotation or uploading — review each sub-skill before allowing automated runs. - Recommended mitigations: run inside an isolated environment or container, avoid passing sensitive files until you've audited sub-skills, and ask the maintainer to (a) implement enforced path checks and explicit upload confirmation in code, and (b) clarify the install mechanism and necessity of listed packages.

Review Dimensions

Purpose & Capability: okName/description match the delivered behavior: the Python CLI routes inputs to named sub-skills, generates a report header, and writes an audit log. Declared required binary (python3) is appropriate and requested packages (biopython, pandas) are reasonable for bio workflows.
Instruction Scope: concernSKILL.md promises strict safety behavior (e.g., "Refuse to operate on paths outside the working directory" and "Never upload genomic data without explicit user confirmation"). The provided orchestrator.py does not implement path restriction checks or any network/upload safeguards — it accepts arbitrary --input paths, computes file checksums (reads files), and will write an audit log in the specified output directory. This is a mismatch between claimed safety rules and actual enforcement.
Install Mechanism: noteInstall spec lists 'uv' installs for biopython and pandas. 'uv' is not a standard, widely-known installer identifier here (e.g., pip, conda); this is ambiguous. The orchestrator.py does not import or use biopython/pandas, so those installs may be unnecessary for this orchestrator-only component.
Credentials: okNo credentials or environment variables are requested. The skill does not ask for unrelated secrets.
Persistence & Privilege: okalways:false and no special system-wide modification. The skill writes an audit log and reports to the working/output directory (normal for this type of tool).