Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Digital Twin Patient Builder
v0.1.0Build digital twin patient models to test drug efficacy and toxicity in virtual environments
⭐ 0· 104·0 current·0 all-time
byAIpoch@aipoch-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description promise: build digital-twin patients and simulate drug response — matched by the included Python implementation. However SKILL.md and metadata label the skill as 'Hybrid (Tool/Script + Network/API)' and list 'Network Access: External API calls' as a high risk, yet the code and manifest declare no network libraries, no endpoints, and no required credentials. This mismatch (claimed network/API behavior without any declared endpoints or env vars) is an incoherence that deserves review.
Instruction Scope
Runtime instructions are concrete: run scripts/main.py with patient and drug JSON inputs or call the Python API. Those instructions align with the stated purpose (reading patient JSON, running local simulations). The SKILL.md also includes broad security checklist items (HTTPS, sandboxing, input validation) but does not specify how those protections are implemented; the instructions do not direct any external transmission of data.
Install Mechanism
No install spec is provided (instruction-only with bundled code). That keeps risk lower because nothing is downloaded at install time. The package includes requirements.txt (only basic/stdlib-like entries and numpy), and no external installers or arbitrary URLs are used.
Credentials
The skill requests no environment variables or credentials, which is proportionate to a purely local simulator. However the skill processes highly sensitive health/genomic data (patient genotype, labs, imaging). The package provides no explicit privacy/HIPAA controls, no logging policy, and no data encryption or storage guidance — a privacy concern even though no credentials are requested.
Persistence & Privilege
The skill does not request permanent 'always' inclusion and uses normal agent invocation flags. It does not declare modifications to other skills or system-wide settings. No persistence/privilege escalation indicators present in the manifest.
What to consider before installing
This skill contains a local Python implementation for building and simulating digital-twin patients and does not declare any external network endpoints or credentials — but the documentation claims network/API behavior that the code does not show. Before installing or running: 1) Do a manual code review of scripts/main.py (and any truncated parts) to confirm there are no hidden network calls, subprocess.exec usage, or hardcoded endpoints. 2) Don't run with real patient data until you confirm storage, logging, and export behaviors and that data is handled per your privacy requirements (e.g., HIPAA). 3) Fix/verify code quality issues (I found at least one bug: calculate_toxicity_risk builds 'risks' but returns 'ris'). 4) Run the code in an isolated sandbox (no network access) for initial testing. 5) If you expect the skill to call external APIs, require the developer to document endpoints, auth, and TLS usage and to declare required env vars; otherwise treat the network/API claim as a documentation inconsistency. If you are not comfortable reviewing code, avoid installing this skill or ask the publisher for audited sources and a clear threat/privacy statement.Like a lobster shell, security has layers — review code before you run it.
latestvk9737w5ypeevgnzc82vwsk6fs9837fz5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.