Skillv0.1.0

ClawScan security

Pharmgx Reporter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 25, 2026, 7:53 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are consistent with a local pharmacogenomics report generator and do not ask for unrelated credentials or install external components.
Guidance: This skill appears to be a coherent, local pharmacogenomics report generator. Before installing or running it: (1) remember genetic data is highly sensitive — run the script locally on a machine you control and avoid uploading raw data to unknown services; (2) review the full pharmgx_reporter.py yourself (or run it in a sandbox) to confirm it behaves as expected; (3) do not treat the output as clinical advice — the SKILL.md disclaimer is appropriate and you should consult a healthcare professional for any medication decisions; (4) note the package metadata/source is not authoritative in the registry listing — if provenance matters, verify the upstream repository referenced in SKILL.md (MIT license) and the author identity before use.

Review Dimensions

Purpose & Capability: okThe name and description (generate a pharmacogenomic report from 23andMe/AncestryDNA data) match the included SKILL.md and the bundled Python script which implements SNP parsing, phenotype rules, and report generation. No unrelated cloud credentials or unrelated binaries are requested. Note: registry metadata at the top listed no homepage/source, while SKILL.md contains a GitHub homepage URL — a minor metadata mismatch but not a functional inconsistency.
Instruction Scope: okSKILL.md instructs running the included Python script on a local input file and producing a markdown report. The instructions do not ask the agent to read other system files, environment variables, or to send data externally. The Python file (visible imports) uses only standard libraries (argparse, hashlib, os, re, sys, datetime, pathlib) consistent with local parsing and report writing.
Install Mechanism: okThere is no install spec (instruction-only skill) and no external downloads or package installs declared. The bundle includes the script itself, so nothing is fetched from third-party URLs during install.
Credentials: okThe skill declares no required environment variables, no credentials, and no config paths. This is proportional for a local file-parsing/reporting tool.
Persistence & Privilege: okThe skill does not request always:true and is user-invocable only; it does not ask to modify other skills or system-wide settings. Autonomous invocation is permitted by default but not combined with other red flags.