Skillv1.0.0

ClawScan security

智能健康管理与评估助手 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 16, 2026, 10:43 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior broadly matches a health-assistant (calling a backend LLM) but there are coherence and privacy concerns — notably a hardcoded API key in repository docs that contradicts the stated dynamic key fetching, and the skill will send full conversation history and sensitive health data to third-party endpoints.
Guidance: This skill will collect structured personal health information and send the full conversation history and lab results to external servers (ydai.jinbaisen.com and a token host) to obtain an assessment. Before installing or using it, consider: 1) confirm who operates those endpoints and read their privacy/security policies (are they trustworthy and compliant with local health data rules?); 2) treat the repository's references/api_docs.md hardcoded API key as a potential secret leak — ask the author to remove/rotate it and explain why it exists; 3) if you will use real patients' data, ensure you have explicit consent and that sending PHI to the remote hosts is permitted; 4) prefer running assessments on a vetted/enterprise service or an on-prem model if PHI cannot leave your environment; 5) test with non-sensitive dummy data first and audit network calls made at runtime. If the author can provide a clear, trustworthy operator for the endpoints and remove the embedded key, the coherence concerns would be reduced.
Findings: [hardcoded_api_key_in_repository] unexpected: references/api_docs.md contains a plaintext API key (fastgpt-... ). SKILL.md and code state the API key is dynamically fetched at runtime and not stored; the presence of a static key in the repo contradicts that claim and risks leaking credentials. [external_token_endpoint_usage] expected: The code uses a remote token endpoint (https://jiyinjia.jinbaisen.com/!token?key=skill_jk) to fetch an API key at runtime. Fetching a key from an external host can be legitimate but means the skill will contact another third-party service before calling the LLM. The fetch is done via subprocess 'curl', which is functionally unnecessary but not malicious by itself. [external_llm_endpoint] expected: The skill sends collected health data and conversation history to ydai.jinbaisen.com (model cyzh-cfc). Calling a remote LLM is expected for this skill, but it implies sensitive health data is transmitted off-device.

Review Dimensions

Purpose & Capability: noteName and description claim to collect multi-dimensional health data and call a backend model for risk assessment — the code and SKILL.md do exactly that (calls a remote LLM at ydai.jinbaisen.com). Requiring network access and an API key is coherent with the stated purpose. However the repository also contains a plaintext API key in references/api_docs.md which contradicts SKILL.md's claim that the key is not stored and is dynamically fetched.
Instruction Scope: concernThe runtime instructions and code explicitly require packing and sending the entire conversation history together with collected health data (PHI) to the remote model and insist on 'complete, unmodified' passthrough. This is functionally necessary to get an LLM-based assessment but increases privacy exposure because it encourages sending all prior context (may include unrelated sensitive content). The SKILL.md discipline of 'do not summarize or redact' amplifies exfiltration risk of sensitive user data.
Install Mechanism: okThis is an instruction-only skill with one code file; there is no install spec and nothing is downloaded at install time. That minimizes install-time code-execution risk.
Credentials: concernThe skill declares no required env vars or credentials, but: 1) scripts fetch an API key at runtime from https://jiyinjia.jinbaisen.com/!token?key=skill_jk using a subprocess 'curl' call; and 2) references/api_docs.md contains a hardcoded API key (fastgpt-...) and explicit API host info. The hardcoded key in repo contradicts the stated dynamic-fetch behavior and is a potential secret leak. Also, the skill will transmit protected health information to third-party hosts (ydai.jinbaisen.com and the token host), which is a proportionality/privacy concern that users must evaluate.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated agent privileges. It does not modify other skills' configs. Autonomous invocation is allowed (platform default) but not combined with other privilege escalations here.