Back to skill
Skillv0.2.0
ClawScan security
Equity Scorer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 28, 2026, 6:06 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and dependencies are coherent with its stated purpose (computing HEIM diversity metrics from VCF/ancestry data); it does not request credentials or perform obvious exfiltration, though there are minor packaging/metadata inconsistencies to check before installing.
- Guidance
- This skill appears to implement what it claims: local reading of VCF/CSV inputs, computation of population genetics metrics, plotting, and writing a report. Before installing: 1) Confirm what the registry's 'uv' installer does in your environment (ensure packages come from trusted PyPI/conda sources). 2) Prefer installing/running in a sandbox or virtual environment to avoid contaminating system Python. 3) The registry metadata had 'Source: unknown' / no homepage, while SKILL.md references a GitHub URL — if provenance matters, inspect the upstream repository to ensure the code matches and no extra files/scripts are added. 4) Tests reference example data under an examples/ path which is not present in the manifest; if you plan to run tests end-to-end, obtain the demo input files from the author/repo. If these checks look good, the skill is coherent and does not request secrets or network access.
Review Dimensions
- Purpose & Capability
- okThe name/description (HEIM diversity/equity scoring) match what the code and SKILL.md implement: VCF/CSV parsing, heterozygosity, pairwise FST, PCA, plotting, and a composite HEIM score. Requested binaries (python3) and Python libraries (numpy, pandas, scikit-learn, matplotlib, biopython) are appropriate for these tasks.
- Instruction Scope
- okSKILL.md describes only dataset parsing, metric computation, plotting, and writing a markdown report and reproducibility artifacts. The included code snippet operates on local input files and computes statistics; there are no instructions to read unrelated system files, access external endpoints, or collect secrets.
- Install Mechanism
- noteInstall spec uses 'uv' package entries for standard Python packages (biopython, pandas, scikit-learn, matplotlib, numpy). Installing common Python packages is expected, but 'uv' as the install kind is unusual (not the common pip/conda labels) — verify what 'uv' maps to in your agent environment and that packages will come from a trusted registry. No arbitrary URL downloads or archive extraction are declared.
- Credentials
- okThe skill requires no environment variables, no credentials, and no config paths. That is proportionate to the described functionality (local analysis of genomic/metadata files).
- Persistence & Privilege
- okalways is false and there is no request to modify other skills or system-wide settings. The skill does not request persistent elevated presence or permissions.