Compliance Posture Intake
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is an instruction-only HIPAA compliance intake skill with purpose-aligned document review and report-writing behavior, but users should be careful about which compliance documents they share and whether optional external Rote/MCP tools are used.
This skill appears coherent for a HIPAA compliance intake. Before installing or using it, decide which documents you are comfortable sharing, avoid providing unnecessary PHI or confidential records, and confirm whether analysis will stay inline or be sent through optional Rote, MCP, or API integrations.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked in an environment with file access, the agent may be able to inspect compliance documents and create report files.
The skill can read/search local files, perform web lookups, and write an output report. These tools are consistent with document analysis and report generation, but they should be used only on user-intended compliance materials.
allowed-tools: Read, Glob, Grep, WebFetch, WebSearch, Write
Only provide or authorize access to the specific documents you want reviewed, and review the generated report before sharing it.
Sensitive compliance materials could be processed by an external tool or agent integration if that optional path is used.
The skill discloses optional use of external/tool-mediated analysis through Rote tooling, MCP, or direct API integration. This is purpose-aligned, but compliance documents may contain sensitive business or health-data context, so users should understand where those documents are processed.
Compatible with any agent context that has access to the rote-compliance-toolkit tools — via Claude Code plugin, Rote MCP server, or direct API integration ... you may optionally chain those tools for document analysis
Before using optional Rote/MCP/API integrations, confirm what data will be sent, who operates the tool, and any retention or privacy terms.