Protein Key Fragment Analysis
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Prompt-injection indicators were detected in the submitted artifacts (base64-block); human review is required before treating this skill as clean.
Use this skill in an isolated project folder with FASTA files you intend to analyze. Install ClustalOmega from a trusted source, review generated output paths before reruns, and verify the amino-acid classification rules because the documentation and code disagree. The provided visible artifacts do not show credential access, data exfiltration, or background persistence. ClawScan detected prompt-injection indicators (base64-block), so this skill requires review even though the model response was benign.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the dependency changes the local environment and depends on the trustworthiness of the package source.
The skill requires an external ClustalOmega binary installed through the OS or conda, while the registry requirements declare no required binaries. This is expected for multiple-sequence alignment but should be explicit to users.
sudo apt install clustalo # 或 conda conda install -c bioconda clustalo
Install ClustalOmega only from trusted package repositories, or use an isolated conda environment/container.
Running the skill will execute a local binary and may overwrite generated output files because ClustalOmega is invoked with --force.
The script executes the local ClustalOmega command with user-selected input and an output path. It uses an argument list rather than shell expansion, and this execution is central to the stated MSA workflow.
cmd = ["clustalo", "-i", str(input_fasta), "-o", str(output_aln), "--outfmt=fasta", "--force", "-v"] ... result = subprocess.run(cmd, capture_output=True, text=True)
Run it in a project directory on FASTA files you intend to analyze, and check output paths before rerunning.
Scientific conclusions about fragment composition and predicted function may not match the documented method.
The visible code classifies A/G/P as Hydrophobic, while SKILL.md and references/method.md describe A/G/P as excluded and claim consistency with aa-pair-analysis. This affects result interpretation rather than showing malicious behavior.
# 注意:此处 A/G/P 重新归入 Hydrophobic(与氨基酸对分析的分类方案不同)
AA_CATEGORIES = {
'Hydrophobic': set('VLIMAG P'.replace(' ', '')),Confirm or correct the amino-acid category rules before using the reports for research decisions.