Back to skill
Skillv0.1.0
ClawScan security
Patsnap Lifescience Company Profiling · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 2:07 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions and requirements are generally consistent with its stated purpose of producing pharmaceutical company profiles, but it assumes access to an external Lifesciences 'MCP' data service without declaring credentials or dependencies — verify that the platform supplies that integration and appropriate access controls before installing.
- Guidance
- This skill appears coherent for pharma company profiling, but before installing confirm: (1) whether your agent platform provides the referenced 'lifesciences MCP' tool and what authentication it requires (the SKILL.md assumes this service but the skill declares no credentials), (2) whether fetching full result sets (it asks to fetch all IDs when ≤100) is allowed under your data governance and privacy rules, and (3) that the MCP endpoint is trusted and access-controlled. If you need to limit data volume or avoid using proprietary backends, ask the publisher to document the exact tool integrations and credential requirements or to provide a version that gracefully falls back to public sources.
Review Dimensions
- Purpose & Capability
- okThe name/description (pharma company profiling) matches the SKILL.md content: it prescribes searches, fetches, patent/pipeline/deal analysis and formatted reporting. There are no unrelated required binaries, env vars, or installation steps that conflict with the claimed purpose.
- Instruction Scope
- noteInstructions are tightly scoped to data retrieval and analysis (Search→Fetch, vector fallback, pipeline/patent/deal analysis) and enforce a specific output format. A notable instruction requires always calling the detail/fetch tool for search results (e.g., fetch all IDs when search returns ≤100 results), which could cause substantial data retrieval in some queries — this is consistent with profiling but may have privacy/volume implications.
- Install Mechanism
- okNo install spec or code files are present (instruction-only), so nothing is written to disk or fetched during installation. This is the lowest-risk install profile.
- Credentials
- noteThe SKILL.md explicitly prefers using a 'lifesciences MCP' service and enforces strict tool parameter usage, but the skill declares no required environment variables or credentials. If MCP is a proprietary service that requires auth or environment configuration, the lack of declared credentials is an inconsistency the integrator should confirm. Otherwise, the skill makes no disproportionate credential requests.
- Persistence & Privilege
- okThe skill does not request always: true, does not write config or ask to modify other skills, and is user-invocable only. It does allow normal autonomous invocation (platform default), which is expected for skills.