ClawHub
Back to skill
v1.0.0

Molecular 3D Renderer

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:06 AM.

Analysis

The skill appears to do what it claims—render molecules locally—while relying on user-directed installs, local rendering tools, and optional public PDB downloads.

GuidanceThis looks reasonable for a molecular rendering skill. Before installing, use trusted dependency sources, preferably run it in a virtual environment, and remember that PDB ID mode may contact RCSB and cache downloaded structure files locally.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
pip install rdkit numpy
apt-get install -y povray

# For PDB support:
pip install biopython

The skill asks the user to install unpinned third-party packages and a system renderer. This is expected for this renderer, but it is still a supply-chain surface users should notice.

User impactInstalling the skill's dependencies will pull code and binaries from package repositories onto the user's machine.
RecommendationInstall in a virtual environment or container where possible, use trusted package sources, and consider pinning or reviewing dependency versions.
Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
scripts/pdb_to_3d.py
url = f"https://files.rcsb.org/download/{pdb_id}.pdb"
...
urllib.request.urlretrieve(url, out_path)

PDB mode can make an outbound request to RCSB and save the downloaded structure locally. This matches the documented PDB auto-download feature.

User impactRendering by PDB ID can contact RCSB and cache the downloaded public structure file locally.
RecommendationUse PDB auto-download only when intended, and use local files for private structures if you do not want an external lookup.
Unexpected Code Execution
SeverityInfoConfidenceHighStatusNote
SKILL.md
requires:
  bins: ["povray", "python3"]
...
python3 scripts/smiles_to_3d.py "SMILES" -o output.png

The skill operates by running local Python scripts and a local POV-Ray renderer. This execution is disclosed and central to the stated rendering purpose.

User impactUsing the skill runs local code and a rendering binary on the user's machine.
RecommendationRun it in a normal project directory or isolated environment, and review output paths before invoking commands.