ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Lab Result Interpretation

v1.0.0

A medical assistant tool that transforms complex biochemical laboratory test results into clear, patient-friendly explanations with safety disclaimers and se...

0· 57·0 current·0 all-time
byAIpoch@aipoch-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description align with the included code and reference data: the package contains a parser, reference ranges, and explanation templates appropriate for lab-result interpretation. However, SKILL.md refers to a references/test_metadata.json file that is not present in the manifest, and it mandates a strict startup runtime guard (Python 3.8+) that the script does not implement before imports as documented. These mismatches are surprising but may be due to sloppy packaging rather than malicious intent.
!
Instruction Scope
SKILL.md explicitly forbids diagnosing conditions and mandates conservative scope enforcement, but the included explanation templates contain statements that can be read as definitive diagnoses (e.g., 'diabetes confirmed' for severe HbA1c). That means, depending on how templates are used, the tool could produce outputs that contradict its own safety boundary. Additionally, SKILL.md documents path-traversal rejection and a runtime version guard, but the script does not visibly implement the pre-import version guard and the audit notes the guard/error handling are 'documented' but 'not confirmed in script'. Those contradictions increase the risk that the runtime behavior won't match the documented safety constraints.
Install Mechanism
This is an instruction-only skill with a packaged Python script and local JSON references — no network installs or downloads. The only install step suggested is 'pip install -r requirements.txt', but requirements.txt only lists 'dataclasses', which is unnecessary for Python >= 3.8 and suggests packaging sloppiness rather than risk. No external URLs or archives are downloaded.
Credentials
The skill requests no environment variables, credentials, or config paths. It does not appear to require system-level secrets or unrelated service tokens — access requests are proportionate to the stated purpose.
Persistence & Privilege
The skill does not request 'always: true' or other elevated persistence. It is user-invocable and allows normal autonomous invocation, which is the platform default. There is no evidence it attempts to modify other skills or system settings.
Scan Findings in Context
[RUNTIME_VERSION_GUARD_MISSING] unexpected: SKILL.md requires a runtime guard that checks sys.version_info >= (3,8) before any imports, but scripts/main.py imports modules at the top of the file and does not implement the pre-import exit behavior claimed in the documentation. This is a mismatch between documented safety constraints and actual code.
[DIAGNOSTIC_LANGUAGE_IN_TEMPLATES] unexpected: The skill claims it will not diagnose conditions and includes mandatory disclaimers, yet references/explanation_templates.json contains explicit diagnostic statements (e.g., 'diabetes confirmed' in severe HbA1c template). Those templates could cause outputs that contradict the documented scope and safety instructions.
[MISSING_REFERENCE_FILE_TEST_METADATA] unexpected: SKILL.md lists references/test_metadata.json among the referenced files, but that file is not present in the manifest. Missing resource may cause fallback behaviors or errors not accounted for in documentation.
What to consider before installing
This skill appears to implement lab-value parsing and patient-friendly explanations, but there are important mismatches you should review before installing or using it: - Templates may produce diagnostic statements: The included explanation templates contain wording that can be interpreted as a medical diagnosis (for example, 'diabetes confirmed' for severe HbA1c). The SKILL.md explicitly forbids diagnosing; you should inspect and edit templates to remove any definitive diagnostic language if you want to ensure the tool never makes diagnoses. - Documentation vs. code inconsistencies: SKILL.md requires a Python 3.8+ guard to run before imports and claims certain error/path checks exist, but the script does not implement the pre-import guard and the audit notes some protections are 'documented' but not confirmed. Verify input-file handling (no path traversal), implement/version-checks as intended, and confirm fallback/error messages. - Missing resource: SKILL.md references test_metadata.json but it's not in the package. Confirm how the code behaves when that resource is absent and whether assumptions or fallback ranges are documented. - Run offline and test with known inputs: Execute the script in an isolated environment with representative lab reports and check outputs for unintended diagnostic wording or unexpected behavior. Confirm that critical-value outputs include the mandated urgent-care wording and that the tool always includes the disclaimer. - Security posture: The package does not request credentials or perform network calls (no obvious exfiltration), but you should still audit any file-reading code paths (the --file option) to ensure it enforces safe path handling and does not load arbitrary system files. If you are not able to perform these checks, do not rely on this skill for clinical decisions — treat outputs as educational only and encourage users to consult a qualified healthcare provider.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c7n8jggn72gbsj4pw1msnj583m35y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments