Automated Soap Note Generator
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a local SOAP-note drafting helper, with the main caution that it handles sensitive clinical information and uses local file/command tools.
The skill looks purpose-aligned and not malicious based on the provided artifacts. Before installing or using it, confirm you are in an approved clinical/privacy environment, use de-identified data for testing, restrict the agent to specific transcript and output files, review any shell commands, and require physician review before entering generated notes into patient records.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could read or modify local files beyond the intended transcript or SOAP-note output.
The skill grants the agent local file read/write/edit access and shell execution. This is consistent with running the local SOAP generator and processing transcript files, but users should ensure only intended clinical files and output paths are used.
allowed-tools: [Read, Write, Bash, Edit]
Approve only specific input and output files, avoid broad directory processing, and review any shell command before it runs.
Installing optional dependencies manually could pull packages from a package index, depending on the user's environment.
The repository includes an unpinned requirements file, though no install spec or automatic package installation is declared. The listed modules are standard-library-like for modern Python, so this is a setup/provenance note rather than evidence of unsafe behavior.
dataclasses enum
Do not run package installation automatically; inspect and pin dependencies if installation is needed.
Clinical details or patient identifiers could be preserved in files or downstream outputs if the user exports the full structured note.
The generated SOAPNote dictionary can include patient identifiers, raw clinical input, and extracted medical entities. This is purpose-aligned for clinical note drafting, but it means sensitive clinical data may be retained in generated structures or exported output.
"patient_id": self.patient_id, "raw_input": self.raw_input, "entities": [asdict(e) for e in (self.entities or [])]
Use only in an approved secure environment, de-identify test data, avoid exporting raw input unless necessary, and review outputs before placing them in patient records.