AI-Cardiac-Rehab
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: ai-cardiac-rehab Version: 1.0.2 The skill bundle provides a legitimate local Web application for cardiac rehabilitation management based on ACC/AHA guidelines. The code (app.py) implements standard security practices including PBKDF2 password hashing, parameterized SQL queries to prevent injection, and session security configurations. It features a hardcoded safety engine that provides medical risk stratification and exercise advice based on user-provided clinical data (e.g., EF values and symptoms) stored in a local SQLite database. No evidence of data exfiltration, malicious command execution, or prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with access to the local database file or device backups could see sensitive health information, and incorrect stored entries could affect future recommendations.
The app persistently stores sensitive cardiac health profile data and daily symptom/vital logs, which are later reused to generate advice.
CREATE TABLE IF NOT EXISTS profiles (... heart_disease TEXT, ef INTEGER, ... medications TEXT ...); CREATE TABLE IF NOT EXISTS daily_logs (... symptoms TEXT, hr INTEGER, bp_sys INTEGER, bp_dia INTEGER, exercise_min INTEGER, ... notes TEXT ...)
Use it only on a trusted device, protect or encrypt the local database, avoid entering more health data than needed, and have cardiac rehab plans reviewed by a clinician.
The app may fail to start if users follow only the registry or SKILL.md quick-start instructions.
The runtime requires a SECRET_KEY, but the registry metadata declares no required environment variables; this is an install/documentation gap rather than hidden behavior.
secret_key = os.getenv("SECRET_KEY") ... if not secret_key: ... sys.exit(1)Before running, set a strong SECRET_KEY environment variable and consider updating the skill metadata/quick start to declare it explicitly.