wemol-cli
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: wemol-cli Version: 1.0.0 The wemol-cli skill bundle is a comprehensive and well-documented set of instructions for an AI agent to operate the Wemol drug-discovery platform. It includes detailed workflows for installation, authentication, and job management, with specific 'Hard Rules' and 'Detection Triggers' (SKILL.md) to ensure the agent uses the CLI reliably and avoids common errors. While it utilizes high-risk patterns like shell-based installers (install.sh from wemol.wecomput.com) and credential handling, these are strictly aligned with the tool's stated purpose and lack any evidence of malicious intent or deceptive prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the installer source, distribution channel, or unsigned binary is compromised or unexpected, it could run code on the user's machine.
The skill directs installation by executing downloaded scripts, including a PowerShell execution-policy bypass, and the artifacts disclose missing code signing. The installer contents are remote and not part of the reviewed skill artifacts.
If the command is missing, continue with the installer commands below. ... curl -LsSf https://wemol.wecomput.com/static/wemol-cli/latest/install.sh | sh ... powershell -ExecutionPolicy ByPass -c "irm https://wemol.wecomput.com/static/wemol-cli/latest/install.ps1 | iex" ... Current Windows builds are not yet distributed with a code-signing certificate.
Require explicit user approval before install or upgrade, use only a verified Wemol download source, inspect or verify checksums/signatures where possible, and avoid bypassing OS protections unless the user accepts the risk.
The agent/CLI can act as the logged-in user, access account and job information, and command-line passwords may be exposed in shell history or process listings.
The skill expects Wemol login and cached sessions. That is normal for a service CLI, but it grants the CLI continuing access to the user's Wemol account.
Non-interactive: ... wemol-cli login --username alice --password secret ... The CLI persists the current host and caches sessions per host.
Prefer interactive login, avoid putting passwords directly on the command line, use least-privilege accounts, and run logout when finished.
Sequences, molecule tables, model inputs, or other proprietary scientific files may be uploaded to Wemol during job submission.
Submitting jobs can send selected local files to the Wemol service. This is purpose-aligned, but it is an external data flow that may include sensitive research data.
When a parameter expects a file, pass a local file path in the JSON payload. The CLI uploads the file automatically and binds it to the matching file argument.
Confirm the exact files and paths before submitting jobs, avoid broad or private directories, and ensure the user is allowed to send the data to Wemol.