Back to skill
Skillv0.2.0
ClawScan security
PharmGx Reporter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 28, 2026, 6:06 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and inputs align with its stated purpose (local pharmacogenomics report generation); it does not request credentials or perform obvious external network or install actions.
- Guidance
- This package appears internally consistent and runs locally on a genotype text file to produce a research/educational PGx report. Before using: (1) do not treat output as clinical advice—follow the included disclaimer; (2) inspect pharmgx_reporter.py for any network calls or logging you don't want (the provided snippets show none, but review the whole file); (3) run the included tests in an isolated environment to confirm behavior; (4) avoid uploading real patient-identifiable data to untrusted systems—operate on de-identified files or in a secure local environment; (5) if you plan to use in a clinical context, consult qualified clinical genetics/pharmacology resources and validate against authoritative CPIC guidelines.
Review Dimensions
- Purpose & Capability
- noteName/description (PharmGx Reporter) match the included Python implementation and tests: the script parses 23andMe/Ancestry files, calls star alleles and phenotypes, and generates a markdown report. Minor metadata inconsistency: registry header lists no homepage/source while SKILL.md metadata references a ClawBio GitHub homepage — this is a bookkeeping mismatch but does not affect functionality.
- Instruction Scope
- okSKILL.md and usage instruct running the local Python script with an input genotype file and output path. The instructions and included tests operate only on local files (demo_patient.txt) and the code's visible portions implement SNP/gene rule logic; there are no instructions to read unrelated system files, environment secrets, or to exfiltrate data.
- Install Mechanism
- noteNo install spec is provided (instruction-only), which is low-risk. The skill nonetheless includes Python source and tests — expected for an instruction-driven script. There are no remote download URLs or package installs in the provided manifest.
- Credentials
- okThe skill declares no required environment variables, no credentials, and no config paths. The code and SKILL.md do not reference external API keys or tokens in the visible content.
- Persistence & Privilege
- okFlags show always:false and default model invocation settings. The skill does not request persistent or elevated platform privileges and does not modify other skills or system-wide config in the provided files.