Molecular Docking
PassAudited by VirusTotal on May 7, 2026.
Overview
Type: OpenClaw Skill Name: molecular-docking Version: 1.0.2 The molecular-docking skill provides a structured interface for bioinformatics workflows using the SciMiner API. It implements security-conscious practices by instructing the agent to store API keys in a dedicated config file (~/.config/sciminer/credentials.json) and explicitly forbidding the agent from printing or logging these credentials. The code in scripts/sciminer_registry.py and the instructions in SKILL.md are well-documented, lack obfuscation, and align strictly with the stated purpose of protein-ligand docking without any indicators of data exfiltration or unauthorized execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may read the SciMiner API key from the configured local file and use it to submit docking jobs to the user's SciMiner account.
The skill uses a local SciMiner API key to authenticate requests. This is expected for the SciMiner integration, but it is still credential use that users should recognize before installation.
Get a free SciMiner API key ... Store the required credential ... ~/.config/sciminer/credentials.json ... auth_header = {"X-Auth-Token": API_KEY}Only install if you intend to use SciMiner. Keep the credential file private, use the recommended file permissions, and rotate the key if it is exposed.
Protein, ligand, or reference-ligand files selected for docking may leave the local machine and be processed by SciMiner.
The invocation pattern uploads local molecular input files to a third-party SciMiner endpoint. This is central to the docking workflow, but retention/privacy boundaries are not described in the artifact.
BASE_URL = "https://sciminer.tech/console/api" ... requests.post(f"{BASE_URL}/v1/internal/tools/file", files={"file": fh}, headers=auth_header, timeout=60)Do not upload confidential or regulated molecular data unless you trust SciMiner's terms, privacy practices, and data-handling policies.
Future agent sessions may automatically know where to find the SciMiner credential file for SciMiner calls.
The skill suggests persisting an instruction that tells future agents where to read the SciMiner API key. It says not to store the credential value, but persistent agent instructions can affect later tasks.
For persistent agent behavior across tasks, add an instruction to the relevant agent memory or project instruction file such as CLAUDE.md, AGENTS.md...
Only add persistent memory or project instructions with user approval, and store only the credential path, not the API key itself.