Skillv1.0.0

ClawScan security

PharmaAI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 14, 2026, 1:54 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions mostly match its stated purpose, but there are important inconsistencies (missing packaged model files, undeclared runtime requirements, and overly-optimistic model metrics) that make the bundle questionable until provenance and missing artifacts are resolved.
Guidance: This package mostly looks like a local Node+Python prediction tool, but do NOT install blindly. Key concerns to resolve before use: 1) The manifest/README reference pre-trained model files (python-core/models/*.pkl) that are not included — verify the models are present from a trusted source or the skill will fail. 2) The skill requires python3 and native Python packages (RDKit) which must be installed separately; RDKit has non-trivial native dependencies—test in an isolated environment. 3) The Python bridge spawns local processes and runs bundled Python code — review the Python files and any model-loading logic for safety and provenance. 4) The model metric claims (two models with ROC-AUC=1.000) are suspiciously perfect; ask the author for provenance, training data, and validation details before trusting predictions for critical decisions. If you cannot verify the models' origin and integrity, run the skill in a sandbox or decline to install.

Review Dimensions

Purpose & Capability: noteThe name/description, TypeScript code, and Python core align with a molecular-toxicity/ADMET prediction skill. However the bundle advertises pre-trained models (e.g. herg_model.pkl, hepatotoxicity_model.pkl, ames_model.pkl) and references additional docs, but those model files and some referenced docs are not present in the provided file manifest. The package also does not declare runtime requirements (python3, RDKit) or list model files as required assets — this is disproportionate to the claimed out-of-the-box capability.
Instruction Scope: noteRuntime instructions and code confine behaviour to local computation: the Node layer spawns a local python3 process and passes JSON; the Python script loads local model files, computes descriptors with RDKit, and returns JSON. There are no network calls, no attempts to read arbitrary system files, and no exfiltration endpoints in the code. That said, documentation files include publishing/login guidance referencing ClawHub tokens (for publishing) which is unrelated to runtime prediction and should not be confused with required credentials.
Install Mechanism: concernThere is no install spec and the skill expects heavy native Python packages (RDKit, scikit-learn, numpy, joblib). The bundle does not ship platform installers or the model artifacts; running it will require manual installation of RDKit (which has non-trivial native dependencies). The absence of packaged models means either the skill will fail at runtime or the author expects models to be fetched/added outside the bundle (no code for fetching exists). This mismatch increases operational risk.
Credentials: okThe skill does not request environment variables, credentials, or config paths for runtime operation (none declared). The only place tokens are mentioned is in publishing docs (HEADLESS_LOGIN.md / PUBLISH_GUIDE.md) describing how to publish the skill to ClawHub; those are documentation for authors and are not used by the runtime code. No other unrelated credentials are requested.
Persistence & Privilege: okThe skill does not request always:true and does not attempt to modify other skills or global agent configuration. It runs as a local Node/Python process when invoked. Autonomous invocation is allowed (platform default) but does not combine with other privilege red flags in the bundle.