Pharmacology agent for ADME/PK profiling of drug candidates from SMILES. Computes drug-likeness (Lipinski Ro5, Veber rules), QED, SA Score, ADME predictions...
Security Analysis
high confidenceThe skill's functionality aligns with its description (RDKit-based ADME/PK profiling) but the package omits declared runtime dependencies and will send input SMILES to an external ADMETlab API (possible IP/data exposure), so review before installing or running on proprietary molecules.
The code and SKILL.md match the stated purpose: RDKit descriptor calculations, rule-based ADME heuristics, optional ADMETlab 3.0 ML integration. However, the skill metadata declares no required binaries or env vars while the code clearly requires Python packages (rdkit, requests) and optional RDKit contrib modules (SA_Score, PAINS catalog). This omission is an inconsistency (missing dependency declarations) but not necessarily malicious.
The runtime instructions direct calling scripts/chain_entry.py which in turn may call scripts/admetlab3.py that performs an HTTP POST of the SMILES to ADMETlab 3.0 (https://admetlab3.scbdd.com). Transmitting SMILES to a third-party service can leak proprietary chemical structures/IP. The SKILL.md mentions ADMETlab integration (so the network call is documented) but there is no clear user warning about privacy/IP risk or an explicit opt-out to force local-only RDKit fallback.
No install spec is provided (instruction-only), which avoids arbitrary downloads, but the included code depends on heavy third-party libraries (RDKit, requests, optional RDKit contrib modules). Because these are not declared in metadata, users may run into missing-dependency failures or silently run with reduced functionality. There are no suspicious external installers or unusual download URLs in the package itself.
The skill does not request credentials or environment variables, which is appropriate. However, it will transmit input SMILES over the network to a third-party API when available; that network access effectively exposes potentially sensitive data (chemical structures). From a credentials perspective this is proportional, but from a data-exposure perspective it is a material privacy/IP concern that should be made explicit to the user.
The skill does not request always:true, does not modify other skills or system config, and has no elevated persistence or privileges. It runs only when invoked and prints JSON to stdout; no evidence of self-installation or system-wide changes.
Guidance
This skill appears to do what it says (RDKit-based ADME and optional ADMETlab API predictions), but pay attention to two things before using it: - Dependency availability: The package metadata lists no required binaries, but the scripts need Python packages (rdkit and requests) and optional RDKit contrib modules (SA_Score, PAINS). Ensure these are installed in a controlled environment before running. - Data exposure / IP risk: When ADMETlab 3.0 is reachable, the skill will POST your SMILES to https://admetlab3.scbdd.com. If your molecules are proprietary, confidential, or covered by IP restrictions, do not run this skill without either removing/patching the admetlab call (force local-only RDKit fallback) or confirming the external service's data handling/privacy terms. Consider running the tool offline (use chain_entry.py which can operate purely with RDKit if ADMETlab is unavailable) or auditing admetlab3.py to add an explicit opt-in flag to enable external queries. Also consider running the code in an isolated environment (container) and reviewing the code locally before supplying sensitive inputs. If you need help patching the script to disable network calls by default, ask and provide the preferred behavior (always-local vs explicit --use-admetlab flag).
Latest Release
v2.0.0
Full release: ADME/PK profiling, Lipinski, QED, BBB, CYP3A4, PAINS alerts
More by @Cheminem
Published by @Cheminem on ClawHub
