Molecular Docking
AdvisoryAudited by Static analysis on May 7, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may read the SciMiner API key from the configured local file and use it to submit docking jobs to the user's SciMiner account.
The skill uses a local SciMiner API key to authenticate requests. This is expected for the SciMiner integration, but it is still credential use that users should recognize before installation.
Get a free SciMiner API key ... Store the required credential ... ~/.config/sciminer/credentials.json ... auth_header = {"X-Auth-Token": API_KEY}Only install if you intend to use SciMiner. Keep the credential file private, use the recommended file permissions, and rotate the key if it is exposed.
Protein, ligand, or reference-ligand files selected for docking may leave the local machine and be processed by SciMiner.
The invocation pattern uploads local molecular input files to a third-party SciMiner endpoint. This is central to the docking workflow, but retention/privacy boundaries are not described in the artifact.
BASE_URL = "https://sciminer.tech/console/api" ... requests.post(f"{BASE_URL}/v1/internal/tools/file", files={"file": fh}, headers=auth_header, timeout=60)Do not upload confidential or regulated molecular data unless you trust SciMiner's terms, privacy practices, and data-handling policies.
Future agent sessions may automatically know where to find the SciMiner credential file for SciMiner calls.
The skill suggests persisting an instruction that tells future agents where to read the SciMiner API key. It says not to store the credential value, but persistent agent instructions can affect later tasks.
For persistent agent behavior across tasks, add an instruction to the relevant agent memory or project instruction file such as CLAUDE.md, AGENTS.md...
Only add persistent memory or project instructions with user approval, and store only the credential path, not the API key itself.