Virtual screening workflows combining protein-sequence lookup, docking box calculation, transformer-based library screening, and docking-based proprietary li...
Security Analysis
medium confidenceThe skill's requirements, instructions, and included code are consistent with a SciMiner-hosted virtual screening integration, but it will upload sequences/structure files and requires trusting sciminer.tech and the provided API key.
Name/description (virtual screening) align with the declared dependency (SCIMINER_API_KEY) and the included registry describing transformer- and docking-based screening tools. No unrelated credentials, binaries, or config paths are requested.
SKILL.md instructs the agent to call SciMiner internal API endpoints and to upload local files (receptor PDBs, ligands). This is coherent for the stated purpose, but it means user-provided sequences, structure files, and library files will be sent to https://sciminer.tech. The docs explicitly forbid falling back to other services and require the SciMiner API path.
No install spec or remote downloads; only small local Python registry files are included. Nothing in the install mechanism writes or executes code from unknown URLs.
Only a single credential (SCIMINER_API_KEY) is required and is the primaryEnv. That is proportional for a third-party API-based service. There are no other secret env vars or config paths requested.
always:false and no system-wide config access — no excessive privilege requested. However, the skill allows autonomous model invocation (platform default), meaning an agent could call the SciMiner API and upload files when the skill is invoked without extra manual steps; consider this when granting the API key.
Guidance
This skill legitimately talks to and relies on SciMiner (https://sciminer.tech) and requires you to set SCIMINER_API_KEY. Before installing: (1) confirm you trust sciminer.tech and its privacy/terms because the skill will upload sequences, receptor PDBs, and any candidate library files to their API; (2) avoid using a highly privileged or long-lived key — prefer a scoped/ephemeral key if possible; (3) if you plan to screen proprietary or confidential molecules/structures, verify that sending them to SciMiner is permitted by your organization; (4) note there is no homepage/source URL in the registry entry and the publisher identity is opaque, so if provenance matters seek additional verification from the skill author or vendor.
Latest Release
v1.0.2
- Clarified that the SciMiner API key is free and updated the prerequisite messaging to reflect this. - Improved language on API key requirements for user guidance. - No functional or workflow changes introduced.
More by @sciminer
Published by @sciminer on ClawHub
