Mentx Doctor 医疗助手
WarnAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real medical-report API helper, but it can automatically send sensitive health data to Mentx and store reports in local temp files without clear consent or retention controls.
Install only if you trust Mentx with sensitive medical information. Before use, confirm each API submission/upload, avoid unnecessary personal identifiers, protect the MENTX_API_KEY, and clear /tmp/mentx-doctor if a task fails or is abandoned. Do not use this skill for emergencies; seek urgent medical care instead.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private symptoms, reports, or medical images could be sent to a third-party API as soon as the skill triggers.
The skill directs immediate submission of the user's medical description to the helper; the script then sends that request to the Mentx provider API. For sensitive health data, the lack of an explicit confirmation and retention/privacy boundary is a material data-flow concern.
输出情感安慰后,**立即**启动异步任务(不要等待): TASK_INFO=$(./scripts/mentx-api.sh start "用户描述" "user_123" "[]")
Add a clear confirmation step before each upload/API call and disclose what data is sent, where it goes, and how long it is retained.
A generated medical report may remain on disk longer than expected, especially if the task is not polled to completion.
The script stores medical API responses in a shared temporary directory and only removes them after a completed status check. It does not set restrictive permissions or an expiry/cleanup policy.
TEMP_DIR="/tmp/mentx-doctor" ... echo "$response" > "$result_file" ... rm -f "$status_file" "$result_file"
Store results in a private per-user directory with restrictive permissions, add timeouts/expiry cleanup, and avoid writing sensitive reports to shared temp paths when possible.
The skill needs a Mentx API key that may grant account-level API access and may remain in the user's shell profile.
The skill requires and documents persistent storage of a provider API key, while registry metadata declares no required env vars or primary credential. This is expected for the integration but should be disclosed accurately.
echo 'export MENTX_API_KEY="your_api_key_here"' >> ~/.bashrc
Declare MENTX_API_KEY in metadata, protect shell profile files, and rotate/revoke the key if it is exposed.
If invoked with the wrong path, a non-medical or private local file could be uploaded to the provider.
The helper can upload any local file path passed to it. This is purpose-aligned for user-selected medical images/reports, but it needs user control to avoid unintended file uploads.
upload_file() { ... -F "file=@$file_path" ... }Only upload files the user explicitly selected, and add path/size/type checks plus a confirmation prompt for local file uploads.