Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
FHE-as-a-Service
v1.1.0Compute 165 clinical scores on fully homomorphic encrypted data with 128-bit security, ensuring patient data privacy during computation.
⭐ 0· 54·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description claim Fully Homomorphic Encryption (FHE) computation over ciphertext to preserve patient privacy. However, the SKILL.md provides no instructions, keys, or libraries for encrypting data client-side; the example compute calls POST plaintext numeric arrays to the API. This contradicts the stated purpose: a true FHE service must provide public-key material and client-side encryption steps or an SDK. The advertised compliance/HIPAA claims and 128-bit TFHE statement are unverifiable from the provided materials.
Instruction Scope
Instructions tell the agent to register and then POST JSON 'values' (cleartext) to /compute endpoints. They do not instruct the agent to generate ciphertext, to fetch a public key, or to use any client-side FHE library. That grants the agent permission to send plaintext clinical data to an external service despite the privacy claim. Payment instructions (on-chain USDC + X-Payment header) and public payment address are included, which is unusual for an API but not inherently invalid; however, the absence of encryption steps is the key scope problem.
Install Mechanism
Instruction-only skill with no install spec and no files beyond SKILL.md. No downloads or extracted code — lowers installation risk. However, lack of code also prevents verification of cryptographic behavior.
Credentials
The skill requests no environment variables, credentials, or config-path access, which is proportional. The API uses an api_key obtained via registration; that is reasonable. Note: the documentation requires on-chain USDC payments to a published address and an X-Payment header for paid usage — this is an unusual billing mechanism for an API and may have legal/accounting implications but is not an environment/credential leak.
Persistence & Privilege
The skill is not forced-always, has normal invocation settings, and does not request persistent agent-level privileges. No indication it would modify other skills or agent configuration.
What to consider before installing
Do not send real patient data to this service until the FHE claims are verified. Specifically ask the provider for: (1) an explicit description of the encryption workflow (how to obtain the service's public key), (2) client-side SDK or example showing how to produce the ciphertext the API expects, (3) a published cryptographic specification and independent audit for the TFHE implementation, and (4) legal/contractual proof of HIPAA/GDPR compliance and data handling policies. If they cannot provide a public key and client-side encryption examples, treat the service as requiring plaintext PHI and avoid using it. Test with non-sensitive dummy data and prefer vendors with verifiable code/repos and audits before processing any real clinical data. Also consider whether on-chain payment to the provided address is acceptable for your organization and document any required invoices/receipts.Like a lobster shell, security has layers — review code before you run it.
latestvk970e7y55djpc1pp831myek1yh83c34z
License
MIT-0
Free to use, modify, and redistribute. No attribution required.