Bio Ontology Mapper
ReviewAudited by ClawScan on May 1, 2026.
Overview
The skill appears aligned with biomedical ontology mapping, but users should notice that it can run local scripts, read/write files, and optionally send medical terms to external NLM APIs.
This looks like a purpose-aligned ontology mapping skill rather than a malicious one. Before installing or using it, decide whether your text may contain PHI, use de-identified or local-only processing when needed, and keep file paths and outputs scoped to the dataset you intend to normalize.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could process or overwrite the wrong local files while running mapping tasks.
The skill asks for file and shell-related tools. That fits batch biomedical text normalization, but it gives the agent authority to read/write local files and run commands when users invoke the workflow.
allowed-tools: [Read, Write, Bash, Edit]
Run it only on intended input files, use explicit output paths, and review generated CSV or JSON outputs before relying on them.
A configured UMLS API key may be used for lookup requests to the UMLS service.
The code can use a local UMLS API key if present. This is expected for UMLS integration, and the artifacts do not show hardcoded credentials or credential logging.
self.api_key = api_key or os.getenv("UMLS_API_KEY")Use a dedicated UMLS key if possible, avoid sharing outputs that include request details, and remove or unset the key when not needed.
Clinical terms or excerpts could leave the local environment; if they contain PHI or sensitive study data, this may create privacy or compliance obligations.
When API mode and a UMLS key are available, user-provided biomedical terms are sent to an external NLM UMLS endpoint as query parameters. The MeSH client similarly uses an external NLM endpoint for descriptor lookup.
BASE_URL = "https://uts-ws.nlm.nih.gov/rest" ... "string": term, "apiKey": self.api_key
De-identify clinical text before use, disable API lookup or use local-only mode for PHI, and confirm that external API use is allowed by your organization.