ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Phylo Tree

v1.0.2

Generate publication-quality maximum likelihood phylogenetic trees and figures from enzyme names or FASTA sequences with advanced model selection and bootstr...

0· 67·0 current·0 all-time
by@billwanttobetop

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for billwanttobetop/phylo-tree.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Phylo Tree" (billwanttobetop/phylo-tree) from ClawHub.
Skill page: https://clawhub.ai/billwanttobetop/phylo-tree
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install phylo-tree

ClawHub CLI

Package manager switcher

npx clawhub@latest install phylo-tree
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (publication-grade phylogenetics) aligns with the supplied scripts and documentation (MAFFT, IQ-TREE, trimAl, CD-HIT). However, some files are unexpected for a purely local analysis: a script named generate_feishu_report.py (Feishu is an external messaging platform) and some scripts reference an absolute PROJECT path under /root/autodl-tmp/..., which is inconsistent with SKILL.md examples that use a user-provided --output directory.
!
Instruction Scope
SKILL.md correctly documents two modes: --fasta (offline) and --query (UniProt network access). But implementation artifacts raise concerns: collect.py performs UniProt REST requests (expected only in --query mode) and several scripts (e.g., scripts/align_tree.sh, scripts/collect.py) contain hard-coded absolute paths that may read/write outside the user's chosen output directory. SKILL.md claims 'local processing' and 'no data sent to third parties' when using --fasta, which is plausible, but the presence of a Feishu report generator and other omitted files suggests there may be code paths that transmit data or require credentials not documented in SKILL.md.
Install Mechanism
There is no install spec in the registry (instruction-only), which minimizes automatic installs. The included installation documentation and quick-install script instruct users to modify ~/.condarc and use conda to install many bioinformatics/R packages — this is expected for the stated purpose but is a privileged change to the user's conda configuration and performs network installs. No remote archive downloads or opaque binaries were observed in the provided files.
!
Credentials
The skill declares no required environment variables or credentials (good), but some shipped files (generate_feishu_report.py) imply optional external sharing/integration that could require API tokens; those are not declared in requires.env. The SKILL.md also asserts local-only behavior when using --fasta, but unreviewed scripts could still contact external services. Lack of declared env vars combined with code that may perform network requests is an inconsistency that warrants manual review.
Persistence & Privilege
The skill does not request elevated platform privileges, does not set always:true, and has no install spec that would force persistent background services. Installation instructions create or modify a conda environment and ~/.condarc (user-level changes), which is expected for this tool and not an undue privilege on its own.
Scan Findings in Context
[base64-block] unexpected: Registry pre-scan flagged a 'base64-block' pattern in the SKILL.md or files. No obvious base64 blocks appeared in the SKILL.md excerpt provided; if present in omitted files, base64 blobs often indicate embedded data or obfuscated payloads and should be examined to confirm they are benign (e.g., embedded images, templates) rather than hidden commands or secrets.
[subprocess-calls] expected: Automated scanner flagged subprocess usage; this is expected because the workflow runs external bioinformatics tools (mafft, iqtree, trimal, fasttree, R). These calls are normal for this skill but should be reviewed for unsafe shell usage or unescaped inputs. Provided shell scripts appear to call commands directly (no obvious shell-injection patterns in the displayed snippets).
[network-requests] expected: The scanner flagged network requests: collect.py explicitly uses requests to call the UniProt REST API, which matches the documented --query mode. This is expected but means running in query mode will contact external servers. The SKILL.md recommends using --fasta to stay offline.
[file-system-operations] expected: File creation/reading is expected for an analysis tool. However, some scripts contain absolute paths (e.g., /root/autodl-tmp/...), which may cause reads/writes outside the user's chosen output folder — this is unexpected and should be corrected before running.
What to consider before installing
Recommendations before installing or running: 1) Inspect files that were not fully shown: open generate_feishu_report.py and any other files that mention external services (Feishu, Slack, webhook, api endpoints). If they send data externally, determine whether they require API tokens and where tokens are read from (env vars, config files). Disable/reporting scripts if you do not want automatic sharing. 2) Search the repository for hard-coded absolute paths and URLs: grep for '/root/autodl-tmp', 'http://', 'https://', 'feishu', 'webhook', 'requests', 'socket', and 'base64'. Replace absolute paths with relative ones or confirm they refer only to safe example directories. 3) Prefer offline use: run with --fasta and verify no network activity (e.g., run in an environment with network blocked) to ensure scripts do not make unexpected external calls. 4) Run in a sandboxed or non-root account: create a dedicated conda environment and non-privileged user, inspect and run scripts there first to limit impact on your system and avoid modifications to your main ~/.condarc unless you accept the change. 5) Review run_v2.py and any runner scripts for uses of os.environ, open(...), subprocess with shell=True, or any code that reads credentials or transmits files. Ensure no secrets are exfiltrated. 6) If you plan to use the installation script, read it line-by-line: the provided install script edits ~/.condarc and installs many packages from conda channels — this is expected but be sure you trust the channels and are comfortable with these changes. 7) If you want the community to help verify safety, provide the contents of generate_feishu_report.py, run_v2.py, and any other omitted files; confirmation that no base64-encoded blobs are obfuscated payloads would raise confidence. Why I marked this 'suspicious' (short): most of the behavior is consistent with a phylogenetics tool, but the unexplained Feishu integration, the presence of absolute project paths, and a pre-scan base64 signal are inconsistencies that require manual inspection before trusting or running the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk979ssrna86h9w0wfh62zx2r5h85c50v
67downloads
0stars
3versions
Updated 4d ago
v1.0.2
MIT-0
@billwanttobetop
latest
Download

PhyloTree | Publication-Grade Phylogenetic Analysis

One-line: Build Nature/Science-level phylogenetic trees from enzyme names or sequences.

🚀 Quick Start (3 steps)

# 1. Activate environment
conda activate r43

# 2. Run analysis
python3 scripts/run_v2.py --query "imine reductase" --output ./output

# 3. Done! Check ./output/figures/ for publication-ready figures

Output: ML tree + 6 figures + QC reports + scientific conclusions

📋 Common Use Cases

Use Case 1: Analyze from FASTA file (Recommended)

python3 scripts/run_v2.py --fasta sequences.fasta --output ./my_analysis

How to get sequences:

  1. Go to UniProt: https://www.uniprot.org/
  2. Search for your enzyme (e.g., "imine reductase")
  3. Click "Download" → "FASTA (canonical)"
  4. Save as sequences.fasta

Use Case 2: Analyze by enzyme name (requires UniProt API)

python3 scripts/run_v2.py --query "imine reductase" --output ./ired_analysis

Note: This uses UniProt API which may change. Manual download (Use Case 1) is more reliable.

Use Case 3: Custom parameters

python3 scripts/run_v2.py \
  --query "lipase" \
  --output ./lipase \
  --threads 10 \
  --bootstrap 1000 \
  --identity 0.90

📊 What You Get

Files generated:

  • trees/phylo.treefile - ML tree (Newick format)
  • figures/*.png - 6 publication-ready figures (300 DPI)
  • analysis_summary.json - Key statistics
  • conclusions.md - Scientific findings

Figures:

  1. Main tree (rectangular layout)
  2. Circular tree
  3. Heatmap tree (branch length gradient)
  4. Branch length distribution
  5. Genus distribution
  6. Combined multi-panel

🔧 Key Parameters

ParameterDefaultDescription
--query-Enzyme name (UniProt search)
--fasta-Input FASTA file
--output-Output directory
--threads10CPU threads
--bootstrap1000Bootstrap replicates

Full parameter list: See references/parameters.md

📖 Need More?

First time setup: references/installation.md
Troubleshooting: references/troubleshooting.md
Interpreting results: references/interpretation.md
Publication checklist: references/publication.md
AI report generation: references/ai_workflow.md

✅ Quality Standards

  • ✅ IQ-TREE ML + ModelFinder (1232 models)
  • ✅ UFBoot2 + SH-aLRT ≥ 1000
  • ✅ Alignment trimming (trimAl)
  • ✅ Deduplication (CD-HIT 90%)
  • ✅ 300 DPI figures
  • ✅ Nature/Science color schemes

Suitable for: Nature, Science, Cell, MBE, Systematic Biology, PNAS

🤖 For AI Agents

After analysis, read:

  1. analysis_summary.json - Structured statistics
  2. conclusions.md - Scientific findings
  3. references/report_template.md - Writing template

No need to parse log files!

📚 References

  1. Nguyen et al. (2015). IQ-TREE. Mol Biol Evol 32:268-274.
  2. Hoang et al. (2018). UFBoot2. Mol Biol Evol 35:518-522.
  3. Kalyaanamoorthy et al. (2017). ModelFinder. Nat Methods 14:587-589.
  4. Yu et al. (2017). ggtree. Methods Ecol Evol 8:28-36.

Full references: references/citations.md

🔒 Security & Privacy

This skill is safe and transparent:

No malicious code - All scripts are open source and auditable
External tools only - Calls standard bioinformatics tools (IQ-TREE, MAFFT, trimAl, CD-HIT)
Optional API - UniProt API is optional, manual FASTA download recommended
Local processing - All analysis runs locally, no data sent to third parties
No network when using --fasta - Completely offline when using local FASTA files

Why flagged as suspicious?

ClawHub's automated scanner detected:

  • subprocess calls (to run IQ-TREE, MAFFT, R)
  • Optional network requests (UniProt API for --query mode)
  • File system operations (creating output directories)

These are normal and necessary for phylogenetic analysis. All external commands are:

  • Standard bioinformatics tools (installed via conda)
  • Called with explicit arguments (no shell injection)
  • Logged for transparency

Recommended usage:

  • Use --fasta with manually downloaded sequences (no network requests)
  • Only use --query if you trust UniProt API (public, no authentication)

Verification:

  • Review all scripts in scripts/ directory
  • Check run_v2.py for the complete workflow
  • All external commands are documented in SKILL.md

Version: 2.0 | Updated: 2026-04-23

Comments

Loading comments...