v1.0.1

VetClaw Bundle

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:22 AM.

Analysis

This is a coherent veterinary-clinic automation bundle, but it needs review because it stores and changes sensitive clinic records and can send user prompts to an external LLM despite broad privacy assurances.

GuidanceReview this bundle before installing in a real clinic. It appears purpose-built rather than overtly malicious, but you should enable external LLM/SMS/WeChat integrations only after confirming consent, privacy terms, credential scopes, database access controls, and human approval steps for appointments, prescriptions, medical advice, and customer outreach.

Findings (7)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

main.py

INSERT INTO appointments ... appointment_time, status) VALUES (1, 1, '待分配', ?, ?, 'confirmed')

The visible handler creates a confirmed appointment record automatically from parsed message content, using hardcoded client and pet IDs and without visible approval or conflict validation in the cited code.

User impactThe agent could create incorrect or unauthorized clinic appointments or business records from a user message.

RecommendationRequire explicit human confirmation before committing appointments or other business-record changes, and add visible conflict checks, audit logs, and rollback/cancel flows.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

所有数据存储在本地或您选择的云服务，不会共享给第三方。

This privacy assurance is too broad given the included external LLM configuration and code path that can send prompts to DeepSeek.

User impactUsers may believe no third-party processing occurs when some configured use cases can transmit conversation content externally.

RecommendationRevise the privacy language to state exactly when data is local, when it is sent to LLM/SMS/WeChat providers, and what data is included.

Human-Agent Trust Exploitation

SeverityMediumConfidenceMediumStatusConcern

SKILL.md

VetClaw 只处理行政和沟通任务，诊断和治疗决策始终由执业兽医完成。

The same artifact advertises medical-adjacent capabilities such as lab interpretation, prescription support, emergency triage, drug interaction checks, and disease knowledge responses, so the 'only administrative' framing may understate clinical reliance risk.

User impactClinic staff or pet owners could over-trust outputs that relate to medical triage, lab values, prescriptions, or treatment advice.

RecommendationAdd stronger clinical guardrails: require veterinarian review before medical outputs are used, label outputs as informational, and avoid automatic medical decisions.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

requirements.txt

fastapi>=0.104.0
uvicorn>=0.24.0
python-dotenv>=1.0.0

The Python dependencies are version ranges rather than pinned hashes or lockfile entries; this is common but gives less reproducible supply-chain assurance.

User impactFuture installs could resolve to different dependency versions than the reviewed artifact expected.

RecommendationUse a lockfile or pinned versions for production deployment, and install in an isolated environment.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

config/vet-config.yaml

api_key: "${DEEPSEEK_API_KEY}" ... api_key: "${SMS_API_KEY}" ... app_secret: "${WECHAT_APP_SECRET}"

The configuration template references LLM, SMS, and WeChat credentials even though registry metadata declares no required env vars or primary credential.

User impactInstalling users may not notice that useful operation can involve third-party account credentials and delegated messaging authority.

RecommendationDeclare all optional credentials in metadata and document the minimum scopes needed for each provider.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusConcern

main.py

httpx.post("https://api.deepseek.com/v1/chat/completions" ... {"role": "user", "content": prompt})

The code can send raw user prompts to an external LLM provider; in this skill, prompts may contain customer contact details, pet medical information, or clinic business data.

User impactSensitive clinic or customer information may leave the local environment and be processed by a third-party model provider.

RecommendationClearly disclose external LLM use, provide a local-only mode, redact sensitive data before model calls, and document provider retention/privacy terms.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

main.py

CREATE TABLE IF NOT EXISTS clients ... pets ... medical_records ... conversations

The app persists customer, pet, medical-record, appointment, inventory, and conversation data in a local SQLite database, which is expected for this product but sensitive.

User impactPrivate customer and clinic records may remain on disk and be reused by later workflows.

RecommendationBefore use, decide who can access the database, how long data is retained, how backups are protected, and how records can be corrected or deleted.