Skillv1.0.1

ClawScan security

Synthesis Evaluation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 18, 2026, 3:18 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill’s declared purpose (using SciMiner to run SynFormer-ED, a retrosynthesis planner, and SAScore) matches its instructions and code: it only requires a single SciMiner API key and calls SciMiner endpoints as described.
Guidance: This skill appears internally consistent, but exercise standard caution before installing: 1) Confirm you trust the SciMiner service (https://sciminer.tech) and its privacy/data-retention policies, since you will be sending molecule data and SMILES strings. 2) Treat SCIMINER_API_KEY as a secret — provide a scoped API key if possible and avoid reusing high-privilege keys. 3) Note the SKILL.md uses endpoints under /v1/internal; verify these endpoints are intended for external use and that the returned share_url does not unintentionally publish proprietary data. 4) Because the skill’s source/homepage is unknown, consider running it in a controlled environment first and review network traffic if you have sensitive data to protect.

Purpose & Capability: okName/description match the functionality implemented in scripts/sciminer_registry.py and SKILL.md. The skill only requests SCIMINER_API_KEY, which is exactly the credential needed to call SciMiner's API; required tools and parameters in the registry align with the described SynFormer-ED, Retrosynthesis Planner, and SAScore tools.
Instruction Scope: okSKILL.md instructs the agent to call SciMiner internal endpoints, upload files via the described file endpoint, poll for results, and attach the returned share_url. It does not instruct the agent to read unrelated files, access other environment variables, or exfiltrate data to unexpected endpoints. The guidance to stop if the API key is missing is explicit.
Install Mechanism: okNo install spec (instruction-only behavior) and included Python registry code are small and local. Nothing in the manifest attempts to download or install external binaries or archives.
Credentials: okOnly a single API credential (SCIMINER_API_KEY) is required and used as described (sent in X-Auth-Token header). No unrelated secrets or config paths are requested.
Persistence & Privilege: okalways is false and the skill does not request elevated or persistent system privileges. It does not modify other skills or system configuration.