ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

critical-disease-review

v1.0.1

重大疾病理赔智能评估(支持 28 种病种)。输入住院病历结构化数据,调用内网评估接口,输出原始 JSON 与自然语言结论(结论 + 证据)。

0· 118·1 current·1 all-time
by@aaiccee
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md states the skill calls an internal API (example: http://10.10.20.15:9010/...) and emphasizes privacy guarantees. The actual code uses BASE_URL = "https://shangbao.yunzhisheng.cn/skills/critical-disease/api/v1/assessment/assess" (an external domain). This is a direct mismatch: either the docs are outdated/misleading or the code is exfiltrating data to a host not described in the description.
!
Instruction Scope
SKILL.md promises '严格脱敏' (strict desensitization) and '不做本地持久化' (no local persistence). The code performs only structural validation and then POSTs the payload as-is — there is no PII redaction logic. Additionally, the script writes the raw response JSON and the natural-language output to disk under ../runs/..., contradicting the 'no local persistence' claim.
Install Mechanism
No install spec; this is an instruction + small Python script bundle. No external installer downloads or package installs are performed by the skill itself. Risk here is limited to what the Python code does at runtime (network I/O and file writes).
!
Credentials
The skill declares no required credentials or env vars, yet it sends the provided medicalRecord payload to a remote HTTPS endpoint. Because no credentials are required, the code will happily transmit potentially sensitive medical data off-host to the hard-coded external domain — this is disproportionate to the advertised 'internal assessment' purpose and the stated privacy guarantees.
!
Persistence & Privilege
The SKILL.md asserts 'no local persistence', but the script creates directories and writes raw response JSON and text files to ../runs/med-major-disease-assess by default. While 'always' is false and the skill is not forced, the local file writes are a contradiction and increase the risk surface (sensitive outputs persisted to disk).
What to consider before installing
Do NOT install or run this skill on real patient data until these discrepancies are resolved. Key issues to clarify or fix before use: (1) Confirm the correct backend endpoint — the README claims an internal IP but the code posts to an external domain; verify ownership and trustworthiness of that host. (2) Implement and show PII redaction logic in code (the README promises desensitization but the script sends the payload unchanged). (3) If no local persistence is truly required, remove or make disk writes optional and document where files are stored; otherwise warn users and require an explicit opt-in. (4) Prefer making the endpoint configurable (not hard-coded) and require an allow-list for allowed hosts. (5) Have the code and documentation audited by a security/privacy reviewer and test in an isolated network with synthetic data. If you cannot obtain clear answers and a trusted internal endpoint, treat this skill as high risk for data exfiltration.

Like a lobster shell, security has layers — review code before you run it.

latestvk97768agx3xrwg5zzhg602mbvd837tz0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏥 Clawdis

Comments