Wellally Health Skills
AdvisoryAudited by Static analysis on May 8, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent uses these instructions too broadly, it could create or replace slash commands and skills that continue affecting future Claude sessions beyond the current task.
The skill documentation covers persistent locations that can change Claude behavior across all projects or an organization, and precedence rules that can override existing commands.
Personal `~/.claude/skills/<skill-name>/SKILL.md` | All your projects ... Enterprise ... All users in your organization ... if a skill and a command share the same name, the skill takes precedence.
Only allow this skill to create or modify skills after explicit user approval, prefer project-scoped paths, review diffs before saving, and avoid personal or enterprise-wide locations unless intentionally requested.
The agent may be guided to write files or rely on scripts in Claude skill directories, which can alter how Claude behaves later.
The instructions document filesystem changes and executable helper scripts as part of skill creation; this is purpose-aligned for skill authoring but high-impact without clear approval boundaries.
mkdir -p ~/.claude/skills/explain-code ... Create `~/.claude/skills/explain-code/SKILL.md` ... `scripts/validate.sh` # Script Claude can execute
Require confirmation before any filesystem write or script execution, show the target path and content, and restrict writes to a user-approved project directory by default.
The agent may fetch and follow updated external documentation, so behavior could depend on remote content at use time.
The skill asks the agent to use remote documentation as context; this is coherent for a documentation/skill-authoring workflow, but it is an external, changeable source not declared in the requirements.
Fetch the complete documentation index at: https://code.claude.com/docs/llms.txt
Fetch remote documentation only when the user expects it, verify the domain, and avoid treating remote text as permission to make persistent local changes.
Sensitive health information could be stored and reused locally for analyses or reports for a long time, and may be exposed to anyone or any agent process with access to the skill files.
The configuration indicates persistent use of sensitive health and medical-history data, with year-long retention, no anonymization, and no consent requirement, even though storage is marked local-only.
"user_factors": ["age", "gender", "bmi", "activity_level", "health_goals", "dietary_preferences", "medical_history"] ... "sources": ["data/profile.json", "data/medical_records/**/*.json"] ... "retention_days": 365, "user_consent_required": false, "anonymization": false
Use this only in a trusted workspace, confirm before saving health data, minimize stored fields, define a cleanup process, and review local data files before sharing or syncing the project.