ClawHub
Back to skill
v1.0.0

healthcare-dev

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 12:40 PM.

Analysis

This is an instruction-only healthcare software development skill with purpose-aligned examples, but users should review any copied EHR/PHI-handling code carefully before using it.

GuidanceThis skill appears safe to install as an instruction-only healthcare development aid. If you use its examples, have qualified security, clinical, legal, and compliance reviewers validate credential handling, PHI logging, encryption, audit trails, and database migration behavior before any production use.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
references/examples.md
setInterval(() => { this.rotateEncryptionKey(); }, config.hipaa.keyRotationDays * 24 * 60 * 60 * 1000); ... 'UPDATE patients SET encrypted_data = $1, encryption_iv = $2, encryption_tag = $3 WHERE id = $4'

The example shows automated key rotation and database updates across patient records. This is aligned with healthcare security, but it is high-impact behavior if adopted without safeguards.

User impactA flawed implementation of this pattern could corrupt or lock access to encrypted patient data.
RecommendationUse this only as a conceptual pattern; add backups, staged migration, rollback, monitoring, and manual approval for production key rotations.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
references/examples.md
jwtSecret: process.env.JWT_SECRET!, ... password: process.env.DB_PASSWORD, ... password: process.env.REDIS_PASSWORD

The reference EHR code uses application secrets and service credentials, which is expected for the demonstrated system but would need least-privilege handling if implemented.

User impactIf users copy the example into a real healthcare system, improperly scoped or exposed credentials could affect access to patient records or backend services.
RecommendationTreat the credential usage as illustrative; use scoped secrets, managed key storage, environment separation, and security review before deployment.