ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Protein-Ligand Docking

v2.3.0

Run a protein-ligand docking workflow for research questions about target binding, selectivity, and structural plausibility. Use this skill when the user ask...

0· 116·0 current·0 all-time
by@zackz2025
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's purpose (protein–ligand docking) matches the included scripts and instructions. However, the registry metadata lists no required binaries or env vars while the scripts and SKILL.md clearly depend on external tools (OpenBabel 'obabel', AutoDock Vina) and Python packages (Biopython, NumPy, RDKit, python-docx). Declaring zero required binaries in the metadata is inconsistent with the actual runtime needs.
Instruction Scope
SKILL.md stays within the stated workflow (UniProt/RCSB queries, AlphaFold/Colab, Vina docking) and instructs the agent to stop early when quality is poor, which is appropriate. Two issues: (1) SKILL.md references a Colab template file references/alphafold_multimer_colab.ipynb that is not present in the manifest, and (2) some small field-name mismatches exist between scripts' output JSON keys and how the report generator expects them (potential runtime errors but not malicious behavior). The instructions require web access to UniProt/RCSB/Colab — expected for the task.
!
Install Mechanism
There is no install specification (instruction-only), yet the code expects a substantial local toolchain (Python packages, OpenBabel, AutoDock Vina, possibly WSL on Windows). The absence of an install spec or clear setup steps in the registry metadata is a red flag for usability and safety: users may run code that fails or behaves unexpectedly if required binaries are missing or different versions are installed. No downloads or remote installers are embedded in the skill (which reduces supply-chain risk), but the skill does rely on external executables invoked via subprocess.
Credentials
The skill does not request environment variables or credentials in the registry metadata. The workflow needs network access to UniProt/RCSB/Colab but does not declare or require secret keys. This is proportionate to the stated purpose. Note: absence of declared binary requirements (see above) is an orthogonal inconsistency.
Persistence & Privilege
always is false and the skill is user-invocable; the skill does not request persistent/system-wide privileges and does not modify other skills. The default ability for the agent to invoke the skill autonomously remains enabled (normal for skills) but is not combined with other high-risk indicators.
What to consider before installing
This skill appears to implement a legitimate protein–ligand docking pipeline, but before installing or running it you should: (1) Confirm that the environment has the required external tools (OpenBabel 'obabel', AutoDock Vina) and Python packages (Biopython, NumPy, RDKit, python-docx, etc.). The registry metadata currently omits these requirements, so the skill may fail or produce misleading results if they are missing. (2) Verify the missing referenced file: SKILL.md points to references/alphafold_multimer_colab.ipynb but that file isn't in the bundle—ask the publisher for the notebook or update the workflow to make explicit how to obtain it. (3) Review the scripts locally before running: they invoke subprocesses (obabel, vina) and read/write files in the working directory; ensure you run them in an isolated workspace with input files you trust. (4) If you plan to allow autonomous agent invocation, restrict network access or review logs—while this skill doesn't request secrets, autonomous execution plus external web access can increase risk if you haven't vetted the inputs and outputs. (5) Consider running the scripts manually in a controlled environment first to confirm outputs and to ensure the correct binary paths and versions are used. If you want, I can produce a checklist of the exact packages, command-line tools and minimum versions to install, or highlight the precise JSON/field mismatches to fix in the code.

Like a lobster shell, security has layers — review code before you run it.

latestvk97edxtpahv0hgk4zvypjxz27h8437cc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments