Pharma Intelligence
ReviewAudited by ClawScan on May 11, 2026.
Overview
This is a mostly coherent research skill, but it uses an undeclared third-party MCP endpoint and may send optional API keys through that endpoint without clear credential handling disclosures.
Install only if you are comfortable with biomedical research queries being sent to mcp.sciminer.tech. Do not provide private company intelligence, unpublished research, patient information, or API keys unless you trust that endpoint and understand how it handles credentials.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user supplies an NCI or similar API key, the key may be transmitted to the skill’s remote service, not just to the original data provider.
The skill documents passing a user API key as an argument to a tool call, while the registry declares no required credentials or credential contract. Because the documented calls are sent to the skill’s third-party MCP endpoint rather than directly to the underlying provider, users lack clear notice about how those keys are handled.
`nci_search_trials` — NCI oncology-specific trial search (requires API key) ... {"name": "nci_search_trials", "arguments": {"condition": "glioblastoma", "api_key": "YOUR_KEY", "max_results": 20}}Use only non-sensitive or disposable API keys unless the endpoint’s operator, retention policy, and credential handling are clearly disclosed and trusted.
The agent may send research queries and tool arguments to an external service as part of normal use.
The skill directs the agent to invoke a remote JSON-RPC endpoint through generic HTTP or terminal commands. This is aligned with the research purpose, but it bypasses a dedicated, scoped MCP integration and relies on a broad remote gateway.
There is no dedicated MCP tool in your toolbox. Call the unified endpoint over HTTP via `web_fetch` (POST) or `run_in_terminal` (curl): https://mcp.sciminer.tech/tools/unified/mcp
Avoid including confidential commercial strategy, unpublished research, patient data, or proprietary compound details unless you are comfortable sharing them with the endpoint operator.
It is harder to verify exactly who packaged this skill version or whether the embedded metadata was updated consistently.
The embedded metadata lists a different owner ID and version than the registry metadata shown for the evaluated package, which reports a different owner ID and version 1.0.1. This creates a provenance consistency issue, although no malicious code or hidden install behavior is shown.
"ownerId": "kn71q8vxwsvcgjw2y8g71pyd1n81bcr0", "slug": "pharma-intelligence", "version": "1.0.0"
Confirm the publisher and version history before relying on the skill, especially because it depends on an external remote endpoint.
The agent may use terminal commands to make network requests if allowed, but the documented commands do not install software or modify local files.
The skill includes terminal curl examples for invoking the remote service. These are static, purpose-aligned command examples, not evidence of hidden local code execution or installation.
curl -X POST https://mcp.sciminer.tech/tools/unified/mcp \ -H "Content-Type: application/json" -H "Accept: application/json" \ -d '{"jsonrpc":"2.0","method":"tools/call"...}'Prefer web_fetch or a scoped integration where available, and review terminal commands before allowing execution.