Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Family Health Tracker
v1.0.0Track medications, allergies, doctor visits, immunizations, insurance, prescriptions, and health records for your whole family. Smart reminders for checkups,...
⭐ 0· 56·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the declared behavior: it stores family health records locally in a JSON file and provides reminders and summaries. It does not request unrelated credentials or binaries. However, the skill assumes the runtime will keep the skill data directory local and private; that assumption is not enforced or qualified in the instructions.
Instruction Scope
SKILL.md instructs the agent to always load and write health-data.json and to merge updates. It does not instruct how or whether to avoid sending that file's contents to remote LLMs/APIs. The trigger guidance ('Use when anyone mentions...') is broad and could cause the agent to read or surface sensitive records more often than users expect. There are explicit rules about not storing SSNs and full policy numbers, which is good, but no technical controls to prevent data leaving the agent's process/context.
Install Mechanism
Instruction-only skill with no install steps, no external downloads, and no code files — low install risk.
Credentials
No environment variables, credentials, or config paths are requested; the scope of access (a single local JSON file in the skill data directory) is proportionate to the described functionality.
Persistence & Privilege
Does not request always:true and is user-invocable. However, by default the agent may be invoked autonomously; that means the agent could read/write the local health record without an explicit user prompt if triggered. Consider restricting autonomous invocation or requiring confirmation before reading/writing sensitive records.
What to consider before installing
This skill appears to do what it says (local family health records) and doesn't request extraneous credentials, but there is a key privacy gap you should consider before installing: the SKILL.md assumes data will stay on your device, but it does not address whether the agent's model invocations are local. If your agent uses a cloud-hosted LLM or any remote API, the prompt/context (including health-data.json contents) may be sent off-device even though the skill intends local-only storage. Before installing: 1) Verify where the LLM runs (local vs. cloud). If cloud-hosted, do not store highly sensitive items (SSNs, full policy numbers, bank info) and assume data may be transmitted. 2) Confirm the platform's skill data directory is stored privately (encrypted at rest/backups) and restrict file permissions. 3) Consider disabling autonomous invocation or add a user-confirmation step before the skill reads or writes health-data.json. 4) Test with dummy data to ensure the agent's behavior matches your privacy expectations (it should only read/write the skill's data file and not call external endpoints). 5) If you need stronger guarantees for Protected Health Information, prefer a fully local deployment or a solution with explicit on-device-only model execution and documented non-transmission guarantees.Like a lobster shell, security has layers — review code before you run it.
allergiesvk975cg7dnb9ptq76cf5bzdsw9s84mqkahealthvk975cg7dnb9ptq76cf5bzdsw9s84mqkaimmunizationsvk975cg7dnb9ptq76cf5bzdsw9s84mqkalatestvk975cg7dnb9ptq76cf5bzdsw9s84mqkamedical recordsvk975cg7dnb9ptq76cf5bzdsw9s84mqkamedicationsvk975cg7dnb9ptq76cf5bzdsw9s84mqka
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🏥 Clawdis