Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Molecular Docking AutoDock
v1.0.0实现分子对接全流程自动化,支持输入蛋白结构文件(PDB格式)、小分子SMILES表达式、口袋位置描述(文本描述或坐标范围),输出对接后打分最高的复合物结构及对接打分结果,默认使用AutoDock VINA算法。使用场景:用户需要进行蛋白-小分子对接预测结合模式、筛选小分子配体、获取对接复合物结构时触发。
⭐ 0· 48·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (AutoDock VINA docking pipeline) aligns with included files and commands: preprocessing (RDKit, Meeko, OpenBabel), pocket prediction (p2rank), and vina execution. Dependencies and references are coherent with the stated goal.
Instruction Scope
SKILL.md and the script instruct running external binaries (obabel, vina, p2rank) and a wget download. The runtime instructions and script access local files (protein PDB, output_dir) and spawn subprocesses; they do not request unrelated system secrets, but they allow user-supplied file paths and pocket descriptions to be passed into shell commands without sanitization, which can be abused.
Install Mechanism
No formal install spec in registry (instruction-only), but SKILL.md tells users to install conda packages and to wget a p2rank tarball from a GitHub release. Downloading from GitHub releases is reasonable, but it still performs a network download and adds third‑party tooling to the environment.
Credentials
No environment variables, credentials, or config paths are requested. The required tools and packages (rdkit, openbabel, meeko, vina, p2rank) are proportionate to molecular docking.
Persistence & Privilege
Skill is not forced-always, does not request elevated privileges or modify other skills. It runs as invoked and writes outputs to a user-specified output_dir only.
What to consider before installing
This skill appears to implement the advertised docking workflow, but the Python script builds and runs shell commands (obabel, prank, vina) by interpolating user-supplied paths and descriptions into f-strings with subprocess.run(..., shell=True). That pattern allows command injection if a malicious or malformed file path/pocket string is provided. Before installing or running: (1) review the full scripts yourself or with a developer; (2) run the skill in an isolated environment or container; (3) avoid supplying untrusted file paths or freeform text as the pocket argument; (4) consider patching the code to call external programs with argument lists (subprocess.run([...], shell=False)) or to sanitize/quote inputs (shlex.quote) and validate paths; (5) ensure you trust the binaries you install (conda packages and the p2rank tarball). If you cannot review or sandbox it, treat it as risky for use with sensitive systems or data.Like a lobster shell, security has layers — review code before you run it.
latestvk97be7h99jcjtnsaq5vc9cr88h84g0sp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.