wemol-cli
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the installer source, distribution channel, or unsigned binary is compromised or unexpected, it could run code on the user's machine.
The skill directs installation by executing downloaded scripts, including a PowerShell execution-policy bypass, and the artifacts disclose missing code signing. The installer contents are remote and not part of the reviewed skill artifacts.
If the command is missing, continue with the installer commands below. ... curl -LsSf https://wemol.wecomput.com/static/wemol-cli/latest/install.sh | sh ... powershell -ExecutionPolicy ByPass -c "irm https://wemol.wecomput.com/static/wemol-cli/latest/install.ps1 | iex" ... Current Windows builds are not yet distributed with a code-signing certificate.
Require explicit user approval before install or upgrade, use only a verified Wemol download source, inspect or verify checksums/signatures where possible, and avoid bypassing OS protections unless the user accepts the risk.
The agent/CLI can act as the logged-in user, access account and job information, and command-line passwords may be exposed in shell history or process listings.
The skill expects Wemol login and cached sessions. That is normal for a service CLI, but it grants the CLI continuing access to the user's Wemol account.
Non-interactive: ... wemol-cli login --username alice --password secret ... The CLI persists the current host and caches sessions per host.
Prefer interactive login, avoid putting passwords directly on the command line, use least-privilege accounts, and run logout when finished.
Sequences, molecule tables, model inputs, or other proprietary scientific files may be uploaded to Wemol during job submission.
Submitting jobs can send selected local files to the Wemol service. This is purpose-aligned, but it is an external data flow that may include sensitive research data.
When a parameter expects a file, pass a local file path in the JSON payload. The CLI uploads the file automatically and binds it to the matching file argument.
Confirm the exact files and paths before submitting jobs, avoid broad or private directories, and ensure the user is allowed to send the data to Wemol.