Baa Review
v0.1.0Clause-by-clause BAA analysis against 45 CFR 164.504(e)(2). Evaluates all 9 required HIPAA provisions with risk scoring and recommended contract language for...
⭐ 0· 227·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name and description (BAA clause-by-clause HIPAA review) align with the SKILL.md methodology and the allowed tools (Read, Glob, Grep, WebFetch). The skill does not request unrelated binaries, environment variables, or config paths.
Instruction Scope
The SKILL.md is narrowly scoped to reading a provided BAA and evaluating the nine regulatory provisions with a defined rubric and JSON output format. It allows file-reading and basic file-globbing/grepping and WebFetch; those tools are consistent with parsing an uploaded contract and consulting public guidance, but they also mean the agent can read files and fetch external resources if invoked — users should avoid submitting unnecessary PHI or confidential materials unless they intend the review.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing will be downloaded or written to disk by the skill itself during install.
Credentials
No environment variables, credentials, or config paths are required. The lack of requested secrets is proportionate to the described purpose.
Persistence & Privilege
always is false (not force-included). disable-model-invocation is false (normal autonomous invocation allowed). The skill does not request persistent or elevated system privileges.
Assessment
This skill looks internally consistent for reviewing BAAs. Things to consider before installing or using it: (1) provenance: the package has no homepage and an unknown owner — if you require legal or compliance assurance prefer a vetted source or an identifiable author. (2) Data sensitivity: the skill's allowed tools include file read and web fetch — do not paste or attach live Protected Health Information (PHI) unless you are comfortable sharing it for review; redact PHI where possible. (3) Legal limits: the output is guidance generated from the provided text and rubric, not a substitute for direct advice from a licensed attorney; consider having a qualified counsel review any remediation language before adoption. (4) If the skill fetches external guidance (WebFetch), ensure it only accesses trusted public sources. Overall the skill is coherent with its stated purpose, but verify origin and avoid submitting unnecessary PHI.Like a lobster shell, security has layers — review code before you run it.
latestvk97f1mk8e17a7j24t0wg36p3ad82bbke
License
MIT-0
Free to use, modify, and redistribute. No attribution required.