FHIR Questionnaire Designer
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: fhir-questionnaire Version: 0.2.4 This skill bundle is classified as benign. The code and documentation are clearly aligned with the stated purpose of assisting in the creation of FHIR conforming questionnaire definitions using official coding APIs. All network calls are directed to known, legitimate clinical terminology servers (e.g., `clinicaltables.nlm.nih.gov`, `tx.fhir.org`, `hapi.fhir.org`), and these are explicitly listed as required in `SKILL.md`. The `SKILL.md` also contains 'CRITICAL RULES' that instruct the AI agent to 'NEVER suggest LOINC or SNOMED CT codes from memory or training data' and 'ALWAYS use the search and query scripts in this skill', which is a safety-oriented prompt to prevent the AI from hallucinating incorrect medical codes, not a malicious injection. File operations are limited to reading/writing JSON files within the skill's context or user-specified paths, and there is no evidence of data exfiltration, unauthorized execution, persistence mechanisms, or obfuscation across any of the Python scripts or the `setup.sh` script.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run included Python scripts when helping with clinical coding and questionnaire validation.
The skill directs the agent to execute local Python helper scripts for terminology lookup. This is central to the stated purpose and is clearly disclosed, but users should understand that the skill depends on local tool execution.
ALWAYS run `python scripts/search_loinc.py "search term"` FIRST
Use the skill in a normal project workspace, review generated questionnaire files before relying on them, and keep script execution limited to the documented workflows.
Terminology searches may disclose the clinical concepts being researched to third-party terminology services.
The skill discloses external terminology API calls. This is purpose-aligned, but clinical search terms or requirement text used in lookups may be sent to those external services.
Requires whitelisted network access: - `clinicaltables.nlm.nih.gov` (LOINC search) - `tx.fhir.org` (FHIR terminology server for LOINC answer lists and SNOMED CT search)
Avoid including patient-identifying information or confidential business details in terminology search terms unless that external use is acceptable.
Manual setup may install a newer compatible dependency version than the author used.
The skill declares a Python dependency range but the registry provides no install specification. This is not suspicious by itself, but users may need to manage dependency installation and version selection themselves.
metadata: dependencies: python>=3.8, jsonschema>=4.0.0
Prefer a pinned or project-managed Python environment if reproducibility matters, especially for clinical validation workflows.