Medication Reconciliation
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a purpose-aligned local medication comparison helper with no evidence of hidden exfiltration or destructive behavior, but it handles sensitive patient data and safety-critical outputs.
Before using this skill, confirm you are authorized to process the patient data, prefer de-identified inputs, inspect the included Python script because the source is unknown, and have a qualified clinician verify all medication reconciliation results.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Patient identifiers or medication details could be exposed if the user supplies identifiable files or stores reports insecurely.
The script includes patient identifiers in the generated report, confirming that the workflow may process and reproduce sensitive health information.
"patient_id": getattr(self, 'patient_id', 'Unknown'),
"patient_name": getattr(self, 'patient_name', 'Unknown')Use de-identified data where possible, ensure authorization before processing PHI, and store any generated reports according to applicable privacy requirements.
Using the wrong paths could process the wrong patient file or write a report somewhere unintended.
The skill directs use of a local Python script with user-supplied input and output file paths. This is expected for the stated purpose, but it is still local file access that should remain user-directed.
python scripts/main.py --pre-admission pre_meds.json --inpatient orders.json --output report.json
Confirm input and output paths before running the script, and avoid letting the agent choose sensitive file locations without explicit user approval.
Users have less provenance information when deciding whether to trust the included script with patient data.
The artifacts include runnable code, but the source/provenance is not identified and there is no formal install specification. This is not suspicious by itself, but it is worth noting for a clinical-data workflow.
Source: unknown ... No install spec — this is an instruction-only skill ... Code file presence: scripts/main.py
Review the included script and prefer obtaining clinical tools from trusted, versioned sources before using them with real patient information.
If treated as authoritative, reconciliation flags could affect medication decisions without proper clinical review.
The workflow is safety-critical and could influence medication review, but the artifact clearly discloses that human clinical confirmation is required.
This tool is for reference only. Final medication decisions must be confirmed by qualified medical staff.
Use the output as a checklist for pharmacist or physician review, not as an automated prescribing or discontinuation decision.