Skillv1.4.0

ClawScan security

Drug Safety Review · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 22, 2026, 1:54 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches its stated purpose (local drug-safety checks with optional billing) but contains multiple inconsistencies and privacy/operational surprises (undocumented environment variables, contradictory security claims, and an auto-evolution daemon) that merit review before installation.
Guidance: Key points to review before installing or running: - Audit the shipped code locally before running. The repository includes executable Python scripts that will run on your machine; do not run them without inspection. - Environment variable mismatch: The registry declared no required env vars, but scripts expect SKILLPAY_API_KEY / SKILLPAY_SKILL_ID (and README shows other variable names). Confirm which variables the code actually reads and set only the billing keys you trust. Remove or sandbox any API keys you don't want to expose. - Privacy claims vs reality: The FAQ/SECURITY.md claim IDs are hashed and medication data never transmitted. In reality the TrialManager stores per-user trial data in ~/.openclaw/skill_trial/<skill>.json under the user_id key (not hashed), and billing requests include user_id to skillpay.me. If you will run with real patient data, avoid passing identifiable user_id values and prefer demo mode for testing. - Billing endpoint verification: The code posts to https://skillpay.me/api/v1/billing. If you intend to use paid mode, verify this endpoint and the billing provider independently. Consider isolating network access (e.g., run in a VM) until you're comfortable. - Auto-evolution daemon: There is a script that will call scripts/self_evolve.py in a loop. Do not run auto-evolve-daemon.sh unless you understand and accept that it may execute local code repeatedly; confirm that self_evolve.py cannot modify code or fetch remote updates. - Run demo/offline first: Use python scripts/safety_review.py --demo to validate outputs without contacting billing or writing trial metadata. - If you need to use the skill in production with PHI: require a security review, run the skill in an isolated environment, ensure the trial file does not contain identifiers, and consider patching TrialManager to hash user IDs and/or disable trial persistence. If anything is unclear or you want, provide the exact files you plan to run and I can point to the specific lines that read env vars, perform network calls, and write files.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose (medication safety review) aligns with the included code (local drug DB, interaction checks, demo mode). However the registry metadata claimed "no required env vars / credentials" while the code expects billing credentials (SKILLPAY_API_KEY / SKILLPAY_SKILL_ID) and the README lists additional billing/config variables—this mismatch is a red flag. Billing-related credentials are plausible for the described SkillPay billing, but the metadata omission is inconsistent and could surprise operators.
Instruction Scope: concernSKILL.md/instructions mostly limit runtime behavior to local processing or calling a billing endpoint. But there are contradictions: documentation repeatedly asserts "no medication data is ever stored or transmitted" and "all analysis happens locally", while the code writes per-user trial files to ~/.openclaw/skill_trial/<skill>.json and sends user_id (and billing data) to skillpay.me when charging. FAQ claims user IDs are hashed; TrialManager stores user_id keys directly. The instructions also include marketing/promotional content and an EVM donation address, which are unrelated to runtime function.
Install Mechanism: okNo install spec / downloads are present; code is included in the skill bundle and uses only Python standard library networking. There are no external downloads or extracted archives in the manifest. This is lower install risk but means the shipped scripts should be audited before execution.
Credentials: concernThe registry reported no required env vars, yet scripts use SKILLPAY_API_KEY and SKILLPAY_SKILL_ID; README also references similarly named but different variables (SKILL_BILLING_API_KEY, SKILL_ID) and many optional API keys (FDA_API_KEY, DRUGBANK_API_KEY, OPENAI_API_KEY, PHI_ENCRYPTION_KEY). Billing keys are proportionate to the billing feature, but the inconsistent names and many optional keys (some not used in the code) are confusing and risk misconfiguration. The skill also claims PHI is never transmitted, yet trial metadata (user_id) and billing requests include user identifiers—users should verify what is sent to the billing endpoint.
Persistence & Privilege: noteThe skill does not request forced persistent inclusion (always: false) and does not modify other skills. It does write a local trial file under ~/.openclaw/skill_trial and includes an auto-evolve daemon script (auto-evolve-daemon.sh) that, if started, will periodically run scripts/self_evolve.py. The self-evolution code is presently benign/placeholder, but the presence of an auto-evolution mechanism is a potential persistence/privilege escalation vector if used to mutate behavior—treat it as a caution rather than proven maliciousness.