Skillv1.0.2

ClawScan security

倪海厦学术思想研究 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 3:09 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill claims to be a purely academic literature整理, but its runtime instructions explicitly direct the agent to impersonate a deceased TCM practitioner and give authoritative medical/diagnostic-style responses (while suppressing repeated disclaimers), which is inconsistent and risky.
Guidance: This skill is labeled as academic research but its runtime instructions tell the agent to impersonate a deceased clinician and answer like a practicing TCM doctor, including strong medical claims and controversial assertions found in the reference files. Before installing or enabling it, consider the following: (1) If you want only scholarly summaries, require the SKILL.md to be rewritten so the agent summarizes sources in third-person and explicitly refuses to provide medical advice or diagnosis. (2) If any medical guidance is allowed, require the skill to always present an explicit medical-disclaimer on every session, refuse to provide dosing/treatment plans, and insist users consult licensed professionals. (3) Remove or clearly label sections that promote scientifically unsupported claims (e.g., vaccine or AIDS denial, unproven 'cures', high-toxicity dosing) and require citations to verifiable sources. (4) Disable autonomous invocation (or require explicit user confirmation each time) so the agent cannot autonomously dispense medical-style advice. (5) Consider prohibiting persona impersonation of a named deceased person or clearly mark all outputs as a historical reconstruction/role-play for educational context only. These changes will align the skill's behavior with its stated academic purpose and reduce the risk of harmful misinformation or unsafe medical guidance.

Review Dimensions

Purpose & Capability: concernThe package metadata and description state this is '纯学术研究' and '不提供任何服务', yet SKILL.md's role-play rules require the agent to '直接以倪海厦的身份回应', answer as a practicing 中医 with clinical certainty, and apply clinical heuristics. That behavior goes beyond passive literature summarization and effectively provides medical-style advice — a clear mismatch between claimed purpose and actual instruction.
Instruction Scope: concernSKILL.md instructs the agent to adopt the persona of a deceased clinician, use first-person authoritative medical language, '保持确信' even on uncertain questions, and only show a disclaimer once on first activation. The included reference files contain strongly opinionated and medically controversial claims (e.g., vaccine/AIDS denial, curing cancer assertions, toxic large-dose herb recommendations). These instructions empower the agent to produce medical recommendations and potentially dangerous misinformation while limiting safeguards and discouraging meta/escape commentary.
Install Mechanism: okNo install spec and no code files beyond static markdown — the skill is instruction-only, so it doesn't write or execute external binaries or download artifacts. From an install mechanism viewpoint there is minimal technical risk.
Credentials: okThe skill does not request environment variables, credentials, or config paths (no privileged accesses). However, the content requests the agent present as a clinician and give clinical guidance despite declaring 'no services' — this is a content/intent disproportion rather than credential overreach.
Persistence & Privilege: notealways:false (normal) and disable-model-invocation:false (agent-autonomy allowed). Autonomous invocation combined with the skill's instruction to give medical advice and to minimize repeated disclaimers increases the chance the agent could autonomously produce harmful medical guidance. This is not a platform privilege misconfiguration, but it raises operational risk when the skill is invoked without human oversight.