Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Healthcare Chatbot Pro
v1.0.0Automate patient support with AI-driven chatbot that answers queries, schedules appointments, and integrates with EMR/CRM systems. Use when the user needs 24...
⭐ 0· 68·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The description promises Dialogflow/Google Cloud integration plus many channels (Slack, Teams, WhatsApp, Stripe, Square, Google Calendar, etc.) but the declared required env vars only include OPENAI_API_KEY, Twilio creds, EMR_API_KEY, and CRM_API_KEY. References to Dialogflow/Google Cloud are not matched by any GCP credential requirement; many other integrations listed have no corresponding required credentials. This mismatch suggests the manifest is incomplete or inconsistent with the declared purpose.
Instruction Scope
The SKILL.md instructs the agent to read/write EMR data, log conversations for compliance, and sync with CRM/Calendars — actions that involve PHI. The instructions (as shown) do not specify where logs are stored, how PHI is protected in transit/at rest, what minimal scopes are required, or how escalation/consent is handled. The agent will be expected to access highly sensitive data but the runtime controls are vague.
Install Mechanism
There is no install spec (instruction-only), so nothing will be downloaded or written by an installer. That reduces some risk; however, because runtime instructions appear to expect running Node/Python code, missing install steps mean unspecified behavior when the agent attempts to execute integrations.
Credentials
The required env vars (OPENAI_API_KEY, TWILIO_ACCOUNT_SID, TWILIO_AUTH_TOKEN, EMR_API_KEY, CRM_API_KEY) are relevant to the described functionality, but the overall set is both sensitive and incomplete given the many integrations listed. The manifest lacks a declared primary credential, uses generic names for EMR/CRM keys (no scopes or provider-specific details), and omits credentials for Google Cloud/Dialogflow, calendar providers, payment processors, and messaging platforms other than Twilio.
Persistence & Privilege
always:false and no install scripts are declared. The skill does not request permanent/forced inclusion. There is no evidence it modifies other skill configurations or system-wide settings.
What to consider before installing
This skill is 'suspicious' because its claims and runtime requirements don't line up and it involves highly sensitive healthcare data. Before installing: (1) Request clarification/source code — ask the publisher to provide the actual integration code and deployment instructions. (2) Confirm exactly which credentials and scopes are required (e.g., GCP/Dialogflow service account, specific EMR vendor OAuth scopes), and insist on least-privilege credentials and scoped service accounts. (3) Ask where logs/conversation transcripts are stored, who can access them, and how PHI is protected at rest and in transit; require evidence of HIPAA controls and audit logging. (4) Use short-lived or scoped tokens in a test environment first and rotate secrets after testing. (5) Prefer an implementation with explicit install steps and auditability (not instruction-only) so you can review code that will handle PHI. If the publisher cannot answer these, do not provide production EMR/CRM credentials or PHI to the skill.Like a lobster shell, security has layers — review code before you run it.
latestvk97b4hqa7ytab254m6gc4a0qj583htbs
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🏥 Clawdis
OSmacOS · Linux · Windows
Binsnode, python3
EnvOPENAI_API_KEY, TWILIO_ACCOUNT_SID, TWILIO_AUTH_TOKEN, EMR_API_KEY, CRM_API_KEY