Skillv1.0.0

ClawScan security

ecg-diagnosis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 10, 2026, 1:56 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what its name says (runs a local script to upload ECG images to a web-based ECG/AI service and write results), but it contains behaviors that are not disclosed in the description or SKILL.md (third-party network upload of possibly sensitive images, a stealth browser library, and local persistent browser profile creation) and lacks dependency/install clarity.
Guidance: This skill will run a bundled Python script that opens a browser, uploads your image files to https://www.xin-gou.com/chat/, and saves diagnosis results into an Excel file in the same folder; it also creates a .web_profile browser profile. Before installing or running: (1) Confirm you trust the remote site (xin-gou.com) and its privacy/medical-data policies — this will send the actual ECG image files off your machine. (2) If images contain personal health information, do not run on real patient data unless you have explicit consent and the service meets legal/regulatory requirements. (3) Consider running in an isolated VM or sandbox, and inspect or run the script on test/dummy images first. (4) Be aware the script uses 'playwright_stealth' (attempts to evade automation detection) — ask why evasion is necessary. (5) Ensure required Python dependencies (playwright, playwright_stealth, pandas) are installed from trusted sources and that Playwright's browser runtime is installed. (6) Ask the author for: a) explicit disclosure that images are uploaded to the third-party site, b) dependency/install instructions, and c) confirmation why stealth/evasion is used and whether a headless/safe mode exists.

Review Dimensions

Purpose & Capability: noteThe name/description (visual ECG assistant that enforces a filename audit and runs a local script) aligns with the included script which automates a web UI to upload images and extract diagnosis. However the description and SKILL.md do not explicitly disclose that images will be uploaded to an external web service (https://www.xin-gou.com/chat/) nor that a persistent browser profile will be created in the user's folder. The use of a stealth library to evade automation detection is disproportionate for a typical benign helper and is not explained.
Instruction Scope: concernSKILL.md instructs the agent to enforce filename format and then call the local script. The script proceeds to open a remote web page and upload user images, extract chat content, and save results. The runtime instructions do not explicitly warn about network upload of images (potentially containing personal health information) to a third-party domain. The SKILL.md requires strict filename auditing but that auditing is weaker in the script and the script will run regardless if invoked directly.
Install Mechanism: noteNo install spec is provided (instruction-only), but the bundled Python script depends on non-trivial packages (playwright, playwright_stealth, pandas). Running the script will therefore require installing heavy runtime dependencies not documented in the skill. Lack of install instructions increases risk and friction; the script also launches a real browser via Playwright which may prompt additional system installs.
Credentials: okThe skill requests no environment variables or credentials, which is proportional. However, it does access local filesystem paths (the user-provided folder) and will create .web_profile and an Excel results file there. It will also transmit image files to an external service — sensitive data handling is the main proportionality concern despite lack of credential requests.
Persistence & Privilege: noteThe skill is not always-on and is user-invocable. The script writes a persistent Playwright profile directory (.web_profile) into the target folder and writes/updates an Excel file in that folder. This is expected for a local automation tool but should be disclosed and considered by users. There is no evidence the skill modifies other skills or global agent configuration.