Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Salubrista HaH
v1.0.1Use this skill when the user needs analysis, design, implementation, evaluation, dashboards, decision scenarios, or normative guidance for integrated hospita...
⭐ 0· 52·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill name, description and the bundled reference files are coherent with an integrated-hospitalization / Hospital-at-Home (HaH) copilot: the corpus and agent files are directly relevant to the stated purpose. However, some embedded operational instructions (see AGENTS.md) include a hard-coded Authorization: Bearer token and explicit webhook examples to call other agents; those credentials and network-call examples are not explained or declared as required, which is unexpected for a documentation-only skill and not clearly justified by the stated purpose.
Instruction Scope
SKILL.md instructs the agent to read bundled reference files (expected). But some included files (references/agent/AGENTS.md and TOOLS.md) instruct using web_fetch-like hooks to post to internal agent gateways (http://{gateway_host}:{port}/hooks/agent) including a literal Bearer token. The config.json does not expose web_fetch as an allowed tool and does not declare that token as a required credential. The skill thus contains instructions that would cause network calls and credential use that are not declared in the SKILL.md output contract, creating an instruction-scope mismatch and potential exfiltration or unauthorized internal API usage.
Install Mechanism
No install spec and no code files—this is instruction-only. That reduces the risk of arbitrary code being written/executed on the host. There is nothing being downloaded or extracted by the skill itself.
Credentials
The skill declares no required environment variables or credentials, yet AGENTS.md contains a hard-coded Authorization: Bearer token and shows POST examples to internal gateways. Embedding an auth token in documentation without declaring it or explaining its purpose is disproportionate and risky: it suggests a secret could be used by the agent even though the skill did not request or justify such access. There are also references to filesystem paths (/home/node/knowledge/..., /home/node/shared/) that differ from the skill-local references/ paths, which creates ambiguity about what external resources the skill expects to read.
Persistence & Privilege
always:false and user-invocable:true (normal). config.json runtime_capabilities explicitly denies code_execution, workspace_write and agent_deploy (good). However config.json includes sandbox.mode = 'permissive' which may broaden allowed runtime behaviors on some platforms; this is not justified in SKILL.md and is worth verifying with the operator. The skill does reference a federation and shared directories, meaning it expects cross-agent interaction, but it does not declare the required network permissions or credentials.
What to consider before installing
This skill appears to be a coherent HaH/hospitalization copilot that bundles a large corpus of policy and agent workflow files, which is appropriate for its stated purpose. However: 1) one of the bundled docs (references/agent/AGENTS.md) contains an explicit Authorization: Bearer <token> and example webhooks to other agent gateways — that looks like a secret and a network-calling instruction embedded in the corpus and is not declared anywhere else; 2) the instructions reference a web_fetch-style call that is not listed among allowed tools in config.json (mismatch); 3) file path mappings in TOOLS.md point to /home/node/knowledge/..., whereas SKILL.md/manifest present files under references/ — clarify whether the corpus is platform-mounted or being read from the skill bundle. Before installing or enabling this skill you should: - Ask the publisher to remove any hard-coded credentials from bundled documentation (or explain why the token is safe and necessary). - Confirm which runtime tools the agent is allowed to use (can it make HTTP POSTs/webhooks?) and whether web_fetch is actually available. - Verify the meaning and safety implications of sandbox.mode = 'permissive' on your platform. - If the skill must call other internal agents, request that those credentials be supplied via properly-scoped environment variables or an operator-controlled secret store (not embedded in docs) and that the skill declare them in requires.env. - Consider running the skill in a constrained environment or with network access disabled until the above are resolved. If you want, I can produce a short checklist of questions to send to the skill author or sample text requesting removal of embedded secrets and clarification of expected network behavior.Like a lobster shell, security has layers — review code before you run it.
latestvk971h6r29t5mga630wkxysvdm583ndd7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.