Skillv0.1.0

ClawScan security

3d Molecule Ray Tracer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 13, 2026, 9:47 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to do what it says — generate PyMOL/ChimeraX rendering scripts — and its requirements (no secrets, no installers, no persistent privileges) match that purpose; review generated scripts before executing them in PyMOL/ChimeraX and run in a sandboxed environment.
Guidance: This skill appears coherent with its stated purpose, but take these precautions before use: (1) inspect the generated .pml/.cxc scripts before running them — they will be executed by PyMOL/ChimeraX and can contain arbitrary commands; (2) if you provide a 4-letter PDB ID the generated script will call PyMOL's fetch (network access) — be aware of network activity; (3) run rendering commands in a sandbox or on a non-sensitive workstation if you are unsure; (4) ensure PyMOL/ChimeraX and Python dependencies are installed from trusted sources; (5) if you need higher assurance, share the full scripts/main.py for a line-by-line review (the provided file was truncated in the listing).

Purpose & Capability: okName and description (generate rendering scripts for PyMOL/ChimeraX) align with the included Python script and SKILL.md. There are no surprising required env vars, binaries, or unrelated dependencies declared.
Instruction Scope: noteSKILL.md and the Python code generate PyMOL/ChimeraX scripts and accept either local PDB file paths or 4-character PDB IDs. The generated PyMOL script uses the PyMOL 'fetch' command for PDB IDs (which triggers network access when the script is run). Instructions do not request unrelated files, credentials, or broad system data, but you should inspect generated scripts before executing them because they will run inside PyMOL/ChimeraX and can execute arbitrary commands in those applications.
Install Mechanism: okNo install specification — this is instruction/script-only plus a local Python file. That is the lowest-risk pattern for an extension of this type.
Credentials: okThe skill requests no environment variables or credentials. The only external interaction is optional PDB fetching via PyMOL/ChimeraX (expected for the purpose).
Persistence & Privilege: okalways is false; the skill does not request persistent platform privileges or modify other skills. It runs locally and generates scripts that the user may execute with PyMOL/ChimeraX.