Health Git
v1.0.0Implements Git-like workflow for health tracking, allowing users to log data, submit intervention plans for expert review, and audit health events.
⭐ 0· 263·0 current·0 all-time
by@erinyu
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The SKILL.md describes a local 'health-git' service (Git-like workflow for health logs) and all instructions (start uvicorn, seed data, curl the API) are consistent with that purpose. Minor mismatch: the registry lists no required env vars but the docs show optional ENV vars (HEALTH_GIT_BASE_URL, AUTH_ENABLED, CONSUMER_API_KEY, REVIEWER_API_KEY). That's reasonable for an example but should be noted.
Instruction Scope
Instructions are limited to starting a local web service and calling its REST endpoints on http://localhost:8090. They do not instruct reading unrelated system files or exfiltrating data to external hosts. Example curl requests include x-api-key headers and rule updates; these are appropriate for the described functionality.
Install Mechanism
No install spec and no code files are bundled; SKILL.md tells the user how to install dependencies and run a project they must provide. This is low-risk from the skill package perspective (nothing is written by the platform).
Credentials
The skill itself does not declare required credentials, but the runtime examples show optional API keys and an AUTH_ENABLED flag. Requesting API keys for consumer/reviewer roles is proportionate to the service's auth model. Important: the default instructions indicate authentication is off by default—this is a security/privacy risk if run in non-local or network-exposed environments.
Persistence & Privilege
The skill does not request persistent privileges (always:false) and does not modify other skills or global agent settings. Autonomous invocation is allowed by platform defaults but the skill's instructions are limited to local API interactions.
Assessment
This skill is an instructions document for running and using a local 'health-git' service — it does not include code in the package, so you must provide or obtain the actual project code before the commands will work. Before running: 1) Verify the service source (there's no homepage/source link provided). 2) Only run the server on localhost or behind proper network controls; do not expose it publicly. 3) Enable authentication (AUTH_ENABLED=true) and configure strong, unique API keys for CONSUMER_API_KEY and REVIEWER_API_KEY before putting any real patient data into the system. 4) Review and audit any rule changes (e.g., MEDICATION_CHANGE_REVIEW keywords) because they affect clinical workflow and safety. 5) Treat any stored data as potentially protected health information — use appropriate encryption, access controls, and comply with relevant regulations. 6) If you will run third-party code (pip install / uvicorn), inspect that code or run it in an isolated/test environment first.Like a lobster shell, security has layers — review code before you run it.
latest
health-git
把 Git 工作流语义(Issue → Branch → Commit → PR → Review → Merge)搬到健康干预场景的 AI 助手技能。
用户每次打卡/录入数据 = care_commit,健康管理师/医生 Review 后 merge 进下一周计划,所有事件可审计。
使用场景
- 患者/消费者:记录每日饮食、运动、用药打卡,提交 PR,等待审核
- 健康管理师/医生:查看待审 PR,运行安全检查,approve/reject 干预计划
- 数据分析:查看依从率、merge 率等指标,作为 reward model 训练信号
前置条件
服务默认运行在 http://localhost:8090,可通过环境变量覆盖:
export HEALTH_GIT_BASE_URL=http://localhost:8090
# 如开启鉴权:
export AUTH_ENABLED=true
export CONSUMER_API_KEY=consumer-key
export REVIEWER_API_KEY=reviewer-key
启动服务:
cd <项目目录>
pip install -r requirements.txt
uvicorn app.main:app --reload --port 8090
初始化示例数据:
curl -X POST http://localhost:8090/api/seed
API 速查
| 操作 | 方法 | 路径 |
|---|---|---|
| 健康检查 | GET | /api/health |
| 初始化数据 | POST | /api/seed |
| 查看全局看板 | GET | /api/dashboard |
| 提交打卡(care commit) | POST | /api/commits |
| 开启干预 PR | POST | /api/prs |
| 审核 PR | POST | /api/prs/{pr_id}/review |
| 记录结果指标 | POST | /api/outcomes |
| 查看指标 | GET | /api/metrics |
| 查看事件日志 | GET | /api/events |
| 查看检查规则 | GET | /api/rules |
| 更新检查规则 | PATCH | /api/rules/{rule_id} |
对话示例
用户:帮我记录今天的打卡:步行8000步,依从度80分
助手操作:
curl -s -X POST http://localhost:8090/api/commits \
-H "Content-Type: application/json" \
-d '{"branch_id":1,"user_id":1,"task_type":"exercise","evidence_text":"步行8000步","metric_value":8000,"adherence_score":80}'
用户:帮我提交本周干预计划的 PR,低风险
助手操作:
curl -s -X POST http://localhost:8090/api/prs \
-H "Content-Type: application/json" \
-d '{"branch_id":1,"requested_by":1,"summary":"本周饮食控制+步行计划","risk_level":"low"}'
用户:审核一下 PR #1,批准通过
助手操作:
curl -s -X POST http://localhost:8090/api/prs/1/review \
-H "Content-Type: application/json" \
-H "x-api-key: reviewer-key" \
-d '{"reviewer_id":2,"action":"approve","review_note":"依从良好,计划合理"}'
用户:把药物变更检查的关键词加上"adjust dose"
助手操作:
# 先获取当前规则
curl -s http://localhost:8090/api/rules | python3 -m json.tool
# 更新关键词
curl -s -X PATCH http://localhost:8090/api/rules/MEDICATION_CHANGE_REVIEW \
-H "Content-Type: application/json" \
-d '{"config_json":{"keywords":["increase medication","new drug","double dose","insulin","adjust dose"]}}'
用户:看一下当前指标怎么样
助手操作:
curl -s http://localhost:8090/api/metrics | python3 -m json.tool
返回字段:commit_rate(总打卡数)、merge_rate(审核通过率)、blocked_rate(被拦截率)、avg_adherence(平均依从分)
检查规则说明
系统内置两条可配置规则:
- MEDICATION_CHANGE_REVIEW:PR summary 含药物变更关键词时自动拦截,需人工 review
- ADHERENCE_GATE:最近一次打卡依从分低于阈值(默认50)时拦截
规则均可通过 PATCH /api/rules/{rule_id} 动态调整,无需重启服务。
注意事项
merge= 用户+专家双重认可的正强化事件,适合作为 RL reward 信号- 所有操作写入
events表,可用GET /api/events?event_type=merge_completed过滤 - 鉴权默认关闭;生产环境请设置
AUTH_ENABLED=true并配置 API key
Comments
Loading comments...