Ehr Semantic Compressor
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears mostly local and purpose-aligned, but it overstates its clinical AI capability and has an unexpected install dependency that users should review before using it with patient records.
Review the dependency files before installing and do not rely on the advertised Transformer/fine-tuned clinical accuracy claims without validation. If you use it, run it only in a secure local environment, protect or delete generated PHI-containing summaries, and have clinical staff verify the output.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe the tool provides clinically robust AI summarization when the provided code appears much simpler, increasing the chance of missed or misleading clinical details.
The visible implementation describes heuristic sentence scoring and keyword extraction, which conflicts with SKILL.md claims of a Transformer-based, fine-tuned clinical model that 'Maintains completeness of medical information.' In a clinical context, that mismatch could cause users to overtrust the summaries.
Generate extractive summary using frequency-based sentence scoring
Reword the skill to accurately describe the implemented heuristic approach, remove unsupported fine-tuning/completeness claims, and require clinician review of all outputs.
Following the setup instructions could install an unexpected third-party package instead of the intended clinical summarization dependencies.
SKILL.md instructs users to run 'pip install -r requirements.txt', but the root requirements file contains only the generic unpinned package name 'main', which is not aligned with the documented dependencies in references/requirements.txt.
main
Remove the unexpected 'main' dependency, align the install instructions with the actual dependency file, and pin or otherwise verify all required packages.
The tool can read selected EHR files and create summary files in the local environment.
The skill documents local command execution that reads an input file and writes an output file. This is expected for a local summarization script, but users should notice that the agent may be asked to process files on disk.
python scripts/main.py --input ehr_document.txt --output summary.json
Run it only on intended files and verify output paths before execution, especially in shared workspaces.
Patient information may persist in generated summary files after the task is complete.
The skill is designed to process EHR content and save summaries locally. This is purpose-aligned, but the output can contain PHI or other sensitive clinical details.
Data Exposure | Output files saved to workspace | Low
Use an approved secure workspace, de-identify input when appropriate, and delete or protect generated summaries according to your PHI handling policy.