Skillv1.0.1

ClawScan security

critical-disease-review · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 19, 2026, 4:16 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: Skill claims to call an internal assessment service and to desensitize/avoid persistence, but the included code posts full payloads to an external host and writes responses to disk — this mismatch creates a high risk of sensitive data exfiltration.
Guidance: Do NOT install or run this skill on real patient data until these discrepancies are resolved. Key issues to clarify or fix before use: (1) Confirm the correct backend endpoint — the README claims an internal IP but the code posts to an external domain; verify ownership and trustworthiness of that host. (2) Implement and show PII redaction logic in code (the README promises desensitization but the script sends the payload unchanged). (3) If no local persistence is truly required, remove or make disk writes optional and document where files are stored; otherwise warn users and require an explicit opt-in. (4) Prefer making the endpoint configurable (not hard-coded) and require an allow-list for allowed hosts. (5) Have the code and documentation audited by a security/privacy reviewer and test in an isolated network with synthetic data. If you cannot obtain clear answers and a trusted internal endpoint, treat this skill as high risk for data exfiltration.

Review Dimensions

Purpose & Capability: concernThe SKILL.md states the skill calls an internal API (example: http://10.10.20.15:9010/...) and emphasizes privacy guarantees. The actual code uses BASE_URL = "https://shangbao.yunzhisheng.cn/skills/critical-disease/api/v1/assessment/assess" (an external domain). This is a direct mismatch: either the docs are outdated/misleading or the code is exfiltrating data to a host not described in the description.
Instruction Scope: concernSKILL.md promises '严格脱敏' (strict desensitization) and '不做本地持久化' (no local persistence). The code performs only structural validation and then POSTs the payload as-is — there is no PII redaction logic. Additionally, the script writes the raw response JSON and the natural-language output to disk under ../runs/..., contradicting the 'no local persistence' claim.
Install Mechanism: okNo install spec; this is an instruction + small Python script bundle. No external installer downloads or package installs are performed by the skill itself. Risk here is limited to what the Python code does at runtime (network I/O and file writes).
Credentials: concernThe skill declares no required credentials or env vars, yet it sends the provided medicalRecord payload to a remote HTTPS endpoint. Because no credentials are required, the code will happily transmit potentially sensitive medical data off-host to the hard-coded external domain — this is disproportionate to the advertised 'internal assessment' purpose and the stated privacy guarantees.
Persistence & Privilege: concernThe SKILL.md asserts 'no local persistence', but the script creates directories and writes raw response JSON and text files to ../runs/med-major-disease-assess by default. While 'always' is false and the skill is not forced, the local file writes are a contradiction and increase the risk surface (sensitive outputs persisted to disk).