ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mentx Doctor 医疗助手

v2.0.0

基于提出的医疗相关问题,通过 api上传医疗相关图片和文字(表征、内窥镜影像、X光、CT、MRI、超声、心电、各类检测报告等),获取专业医疗辅助决策报告支持。

0· 971·0 current·0 all-time
byMentx.com@dj801117
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md and scripts clearly require an API key (MENTX_API_KEY) to call developer.mentx.com, but the registry metadata lists no required environment variables/primary credential. That mismatch is significant: a skill described as 'instruction-only' / no envs in registry in fact needs a secret to function. Also SKILL.md claims Version 1.0.0 while registry shows 2.0.0 — metadata inconsistencies reduce trust.
Instruction Scope
Instructions stay within the stated purpose (immediate empathic reply, then asynchronously upload text/images to Mentx API and poll for a report). However the runtime behavior involves uploading user-supplied medical images/reports (PHI) to https://developer.mentx.com, storing responses temporarily in /tmp, and running background curl jobs. Those are coherent with the purpose but have privacy and data-handling implications that are not addressed in the skill (no explicit consent, retention, or privacy policy text included).
Install Mechanism
There is no install spec (instruction-only), which is low risk, but the repository includes an executable shell script (scripts/mentx-api.sh) that the agent will call at runtime. That means code will run on the host when invoked even though nothing is declared to be installed—this is expected but worth noting.
!
Credentials
The skill requires an API key (MENTX_API_KEY) to contact the external Mentx API, which is appropriate for a third‑party service. The problem is the registry metadata did not declare this required credential. Requiring a secret without declaring it is an incoherence and a user-safety concern. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request always:true or other elevated platform privileges. It runs short-lived background tasks and writes temporary files to /tmp only. It does not modify other skills or system-wide agent settings.
What to consider before installing
This skill appears to do what it says (send text/images to Mentx API and return a report) but has two important red flags: (1) the registry metadata fails to declare the required MENTX_API_KEY even though SKILL.md and scripts require it — confirm where that key comes from and whether you trust the developer and key handling; (2) the skill uploads medical images/reports (sensitive personal health information) to an external host (developer.mentx.com). Before installing, verify the vendor/domain and their privacy/retention policy, ensure you have user consent to transmit PHI, avoid putting a long-lived production API key in global shell startup files (use limited-scope or ephemeral keys), and consider testing with non-sensitive data first. If you cannot verify the service's identity and data handling, do not provide real patient data or your primary API key.

Like a lobster shell, security has layers — review code before you run it.

-healthcarevk97cbzecf69rpqw1kmbrs54ggn80yde1-healthcare -medical_advisorvk97dtvc1gjxrsw2czpw5gyx8tx80y806latestvk97fpcege6yrtes8hsr8b58re18308jp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments