Back to skill
Skillv1.0.0
ClawScan security
αExtractor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 18, 2026, 4:06 PM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requirements, instructions, and included code are consistent with an optical chemical-structure-recognition integration that uses SciMiner and only asks for a SciMiner API key — but the package has no public homepage or clear publisher, so verify the service before use.
- Guidance
- This skill appears internally consistent for extracting chemical structures via SciMiner and only needs your SCIMINER_API_KEY. Before installing: verify you trust sciminer.tech (there is no homepage or clear publisher information provided), because using the skill will upload images and send your API key to that service. Be cautious about uploading proprietary or sensitive images; confirm the service's privacy and retention policies and whether share_url links are public. Only provide an API key scoped to the minimal permissions needed, rotate keys if possible, and consider testing with non-sensitive images first. If you need stronger assurance, ask the publisher for a public homepage or repository and for more information about data handling.
Review Dimensions
- Purpose & Capability
- okThe name/description (OCSR via SciMiner) matches the required environment variable (SCIMINER_API_KEY) and the included registry code lists a single provider and tool for extracting molecules from images. No unrelated credentials or binaries are requested.
- Instruction Scope
- noteSKILL.md instructs the agent to upload image files to SciMiner, call internal tool endpoints under https://sciminer.tech/console/api, poll for results, and include the returned share_url in user summaries. These steps are consistent with the stated purpose; note that attaching share_url will direct users to an external site and that the doc enforces using SciMiner only (no fallback).
- Install Mechanism
- okThere is no install spec (instruction-only deployment) and the included Python files are small registry helpers only. No external downloads or archive extraction occur.
- Credentials
- okOnly one environment variable (SCIMINER_API_KEY) is required and is used as the API token (X-Auth-Token). This is proportional and declared as the primary credential.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated or persistent platform privileges. It does not modify other skills or system-wide settings.