ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Intelligent Triage Symptom Analysis

v1.4.0

Intelligent Triage and Symptom Analysis Skill. Supports 650+ symptoms across 11 body systems. Based on ESI and Manchester Triage System with 5-level triage c...

0· 380·1 current·1 all-time
byjoe@andyxcg
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims offline/local processing and the registry lists no required env vars, yet the code includes a billing client that expects SKILLPAY_API_KEY / SKILLPAY_SKILL_ID and a billing URL; README/config use different env var names (SKILL_BILLING_API_KEY, SKILL_ID). This mismatch between declared requirements and actual code is incoherent and could cause accidental credential exposure or misconfiguration.
!
Instruction Scope
Documentation and SECURITY.md repeatedly claim 'symptom data is NEVER transmitted' and 'no persistent PHI stored', but the code provides a SymptomHistoryManager that writes assessments to ~/.openclaw/symptom_history/<user>.json and a TrialManager that writes ~/.openclaw/skill_trial/<skill>.json. The billing client makes outbound HTTP requests to skillpay.me for charging. These behaviors contradict several statements in SKILL.md/FAQ/SECURITY.md.
Install Mechanism
No install spec (instruction-only install), so nothing is automatically downloaded during install. All code is included in the package (Python scripts and a shell daemon). This lowers one class of risk (no external installer), but shipping runnable scripts (including a daemon script) still creates runtime risk if executed.
!
Credentials
The registry metadata declares no required env vars but the code references SKILLPAY_API_KEY and SKILLPAY_SKILL_ID. README and config files reference other names (SKILL_BILLING_API_KEY, SKILL_ID) and list many optional API keys (OpenAI, Anthropic, ICD11, SNOMED, PHI_ENCRYPTION_KEY). Requiring billing credentials for a triage tool is plausible, but the inconsistent naming and the number of optional keys (some unrelated to core rule‑based logic) is disproportionate and confusing — it raises risk of misconfigured secrets or accidental exposure.
!
Persistence & Privilege
Scripts persist trial state and symptom history under ~/.openclaw and include an auto-evolve daemon (auto-evolve-daemon.sh) that will repeatedly run scripts/self_evolve.py if launched. Although always:false (not force-enabled), the package contains code that writes to user home directories and a daemon script that could be executed by an operator to create a persistent background process. The security docs claim no persistent PHI, but SymptomHistoryManager contradicts that.
What to consider before installing
This package is not clearly malicious, but it contains several red flags you should address before using it with real patient data or on production systems: 1) Do not run it on machines containing PHI until you confirm what is written to disk. The code writes assessments to ~/.openclaw/symptom_history and trial data to ~/.openclaw/skill_trial — contrary to some docs that claim no medical data is stored. 2) Resolve env var inconsistencies. The code expects SKILLPAY_API_KEY and SKILLPAY_SKILL_ID, but README/config reference SKILL_BILLING_API_KEY and SKILL_ID and other optional keys. Decide which names are authoritative and only supply billing keys when you’re ready to accept networked billing calls. 3) Audit network behavior. The billing client posts to https://skillpay.me/api/v1/billing/charge. Grep the code for any other outbound network calls before allowing it on a network-connected host. Run the skill in an isolated/test environment and monitor outbound traffic. 4) Inspect/disable auto‑evolution. The repo includes auto-evolve-daemon.sh and scripts/self_evolve.py. self_evolve.py is benign as shipped, but a daemon that periodically runs an evolution script raises the potential for future self-modifying or auto-update behavior. Don't enable the daemon unless you understand its update mechanism and trust the source. 5) Confirm logging and retention. The skill writes logs and JSON files to your home directory; check file permissions, whether sensitive inputs are stored, and whether you need encryption or manual deletion policies. 6) Ask the author for clarification. The package mixes versions and promotional text, and the metadata on required env vars is missing; request clear documentation of: - authoritative env var names - exactly what is sent to the billing endpoint - what persistent files are kept and what they contain - whether any automatic update/self-evolution will fetch code from remote hosts 7) If you plan to integrate into healthcare workflows, perform a clinical and security review: run unit tests, review red-flag detection logic, and ensure compliance with applicable regulations (HIPAA/GDPR). If you want, I can extract the specific lines where env vars and file writes occur, show all places the code performs network IO, or produce a minimal patch to disable persistence and the daemon for safe local testing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bhhxh9bw9p6g0ay6eka4ebd83dwjh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments