ncbi-search

PassAudited by ClawScan on May 1, 2026.

Overview

This skill appears to be a coherent NCBI search helper, with only disclosed, purpose-aligned notes about running local Python commands, using an optional NCBI API key, and installing a Python dependency.

Before installing, understand that this skill runs local Python commands and sends your search terms, and optionally your NCBI API key, to NCBI E-Utilities. The behavior is consistent with the skill’s purpose, but use a trusted Python environment and avoid putting sensitive personal health information or exposed API keys into shared logs.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI02: Tool Misuse and Exploitation

What this means

When invoked, the agent may run local shell commands to perform NCBI searches.

Why it was flagged

The skill grants Bash access so the agent can run the included Python search scripts; this matches the command-line design but is broader than a narrowly scoped API tool.

Skill content

allowed-tools: [Bash]

Recommendation

Install only if you are comfortable with this skill using Bash, and keep usage limited to the documented Python scripts and search commands.

Low

#ASI03: Identity and Privilege Abuse

What this means

Your NCBI API key may be used to authenticate requests to NCBI for higher rate limits.

Why it was flagged

The code can read an NCBI API key from a command-line argument or environment variable and use it for NCBI requests; this is purpose-aligned but should be treated as credential handling.

Skill content

if args.api_key:
        return args.api_key
    return os.environ.get("NCBI_API_KEY")

Recommendation

Use an NCBI key only if needed, prefer environment-variable configuration over pasting keys into shared command histories, and rotate the key if it is exposed.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

You may need to install an additional Python package before the scripts work.

Why it was flagged

The README instructs users to install the requests dependency even though the registry section lists no install spec; this is disclosed and common, but it is an under-declared dependency path.

Skill content

pip install requests

Recommendation

Install dependencies from a trusted package source and verify the local skill files before using the Bash commands.