AI-Cardiac-Rehab
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a coherent local cardiac-rehab web app, but users should notice that it stores sensitive health records locally and needs a SECRET_KEY setting not declared in the registry metadata.
This skill looks benign and purpose-aligned for a local cardiac-rehab web app. Before installing, understand that it stores sensitive health information on your machine, set the required SECRET_KEY even though the registry omits it, and do not rely on its exercise or medication guidance without review by a qualified clinician.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with access to the local database file or device backups could see sensitive health information, and incorrect stored entries could affect future recommendations.
The app persistently stores sensitive cardiac health profile data and daily symptom/vital logs, which are later reused to generate advice.
CREATE TABLE IF NOT EXISTS profiles (... heart_disease TEXT, ef INTEGER, ... medications TEXT ...); CREATE TABLE IF NOT EXISTS daily_logs (... symptoms TEXT, hr INTEGER, bp_sys INTEGER, bp_dia INTEGER, exercise_min INTEGER, ... notes TEXT ...)
Use it only on a trusted device, protect or encrypt the local database, avoid entering more health data than needed, and have cardiac rehab plans reviewed by a clinician.
The app may fail to start if users follow only the registry or SKILL.md quick-start instructions.
The runtime requires a SECRET_KEY, but the registry metadata declares no required environment variables; this is an install/documentation gap rather than hidden behavior.
secret_key = os.getenv("SECRET_KEY") ... if not secret_key: ... sys.exit(1)Before running, set a strong SECRET_KEY environment variable and consider updating the skill metadata/quick start to declare it explicitly.