ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Protein Key Fragment Analysis

v1.0.5

蛋白质关键序列片段预测分析。对任意蛋白质家族的多物种FASTA序列执行完整分析流程,提取共识序列并识别关键功能片段、统计氨基酸组成、预测片段主要功能。适用于:(1)用户提到"提取蛋白关键序列/片段"、"分析蛋白保守区"、"预测蛋白功能片段"时,(2)对新物种/类群运行完整分析流程,(3)从已有FASTA序列提取共...

0· 329·0 current·0 all-time
by@wuhen9nine
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (consensus/MSA → fragment extraction → composition → function prediction) matches the provided scripts and example outputs. The code implements MSA invocation (via ClustalOmega) and generates the reported JSON/MD outputs, so purpose and capability are largely aligned.
!
Instruction Scope
SKILL.md and references describe excluding A/G/P/X from composition statistics, but the shipped script's AA_CATEGORIES explicitly includes A/G/P inside the Hydrophobic class (implementation contradicts docs). That affects outputs and downstream function_prediciton logic. SKILL.md also recommends installing ClustalOmega and editing script constants (KNOWN_MOTIFS/CONSERVED_BLOCKS) — editing code is expected for custom families but increases risk of accidental misconfiguration. A pre-scan detected a 'base64-block' pattern in SKILL.md content (or other files), which could indicate embedded data or an attempt at prompt-injection; this should be inspected.
Install Mechanism
No install spec; instruction-only install steps ask users to install ClustalOmega via apt/conda. Using a local well-known bioinformatics binary is proportionate. There are no remote download/install steps in metadata.
Credentials
The skill requires no environment variables, credentials, or special config paths. It reads local FASTA inputs and writes local reports — credential requests are proportionate (none requested).
Persistence & Privilege
Skill is not always-enabled, does not request persistent system-wide privileges, and contains only scripts and static references. Autonomous invocation is allowed by platform default but not combined with other privilege escalations here.
Scan Findings in Context
[base64-block] unexpected: The pre-scan flagged a base64-block pattern in the SKILL.md or other files. The documented runtime and code do not require embedded base64 payloads; inspect repository files for embedded/obfuscated data before running.
What to consider before installing
What to check before installing or running this skill: 1) Code–doc mismatch: the docs and references repeatedly state that A/G/P (and X) are excluded from the amino-acid composition statistics, but the included script classifies A/G/P as Hydrophobic. This will materially change reported category counts, dominant-category calls, and downstream function predictions. Do not trust results until you verify/correct AA_CATEGORIES in scripts/protein_key_fragment_analysis.py and re-run a test. 2) Inspect for embedded data: the static scan found a 'base64-block' signature. Search all files for long base64-like blocks (e.g., lots of A–Z/a–z/0–9/+/=) and review their purpose. If you find any, open them and confirm they are just static example data or benign resources. 3) Run on non-sensitive data first: execute the scripts on small, public example FASTA files to confirm behavior, outputs, and runtime calls (the code calls clustalo via subprocess). Confirm no unexpected network activity (run in an isolated environment or monitor outbound connections during a test run). 4) Verify dependencies and runtime: ClustalOmega is required and invoked via subprocess. Ensure you have the correct version installed and that the environment where you run the skill is trusted. 5) Review other truncated files: the package contains many precomputed results; scan any remaining/truncated files for hidden scripts, obfuscated content, or instructions that differ from SKILL.md. Because parts of the code were truncated in the review, further review could reveal additional inconsistencies. 6) If you plan to use this for research or decision-making, validate predictions experimentally or via established annotation tools (Pfam/InterPro/AlphaFold) — the tool itself documents limitations and is heuristic. If you want, I can: (a) point to the exact lines in the script to change to make A/G/P excluded, (b) produce a small checklist of commands to run the package safely in an isolated environment, or (c) search the full file list for base64-like blocks and show their locations.

Like a lobster shell, security has layers — review code before you run it.

bioinformaticsvk97etccytp5te3s4arcb0yaqy582pe40latestvk978dhhamdhhgfat2qnmpptmth83et08

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments