孕期搭子 Pregnancy Buddy
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The pregnancy assistant is coherent, but it handles sensitive medical and emotional data while quietly retaining details and potentially sending report images to Tencent Cloud OCR without clear consent or retention controls.
Use this skill carefully with pregnancy and medical details. Before uploading prenatal reports, confirm whether OCR will send the image to Tencent Cloud, and ask how to disable memory or delete stored details before using the monthly letter feature.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private pregnancy, medical, and emotional details could be retained or reused across conversations without explicit opt-in, retention limits, deletion control, or a clear summary of what is stored.
The skill directs the agent to silently retain prenatal checkup data, emotions, milestones, and daily details for later reuse in monthly baby letters.
"月初 → AI 开始在对话中默默收集素材" ... "AI 应在内部记住(用于月末生成信件)"
Make memory opt-in, show users exactly what will be remembered, store only user-approved snippets, and provide clear delete, export, and disable controls.
A prenatal report image may leave the local or chat environment and be processed by a third-party cloud service, with no clear consent, redaction, retention, or provider privacy boundary in the skill instructions.
The OCR helper can send report image content or URLs to Tencent Cloud's OCR API.
http_profile.endpoint = "ocr.tencentcloudapi.com" ... req.ImageBase64 = load_image_base64(args.image_base64) ... client.call_json("GeneralAccurateOCR", req._serialize())Before OCR, disclose the Tencent Cloud provider, require explicit approval for uploading sensitive reports, document retention and privacy expectations, and offer a local or platform OCR alternative when available.
OCR may fail or require extra setup not visible in the registry metadata; users may not know they need Tencent Cloud credentials.
The included helper depends on an external SDK and cloud credentials, but the registry metadata declares no required environment variables, credentials, or install spec.
"缺少依赖 tencentcloud-sdk-python,请执行: pip install tencentcloud-sdk-python" ... "需要环境变量: TENCENTCLOUD_SECRET_ID, TENCENTCLOUD_SECRET_KEY"
Declare the SDK dependency and required environment variables in metadata or install instructions, and pin dependency versions where possible.
Users may believe sensitive reports are only used transiently in the current chat, while the skill can retain pregnancy details for letters and use cloud OCR for reports.
The privacy assurance is not aligned with other instructions to silently collect personal material over time, and it also does not clearly reflect the OCR helper's third-party processing path.
"不泄露隐私:产检报告等敏感信息仅在当前对话中使用" alongside "默默收集素材"
Rewrite the privacy statement to accurately describe memory and OCR data flows, and ask for consent before storing or sending sensitive information.