Dental Clinic Assistant
WarnAudited by ClawScan on May 18, 2026.
Overview
The skill is a coherent dental WhatsApp assistant, but it asks for broad WhatsApp and Calendar access and can alter appointments while giving conflicting emergency medical guidance.
Before installing, verify who operates the WhatsApp platform, do not scan QR codes from an unverified provider, scope Google Calendar access to a dedicated calendar, require patient identity checks before appointment changes, and have a clinician/legal reviewer approve emergency and privacy wording.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A misconfigured or untrusted platform/service account could read or send patient messages and change the clinic calendar.
The setup asks the clinic to delegate WhatsApp messaging and Google Calendar mutation authority, but the artifacts do not clearly identify the external platform, scope, revocation process, or account boundaries.
"Your WhatsApp Business number is connected to our platform. We provide the QR code — you scan it." ... "Share your clinic's Google Calendar with the service account email (give \"Make changes\" permission)"
Verify the provider identity before scanning any QR code, require documented permissions and revocation steps, use a dedicated calendar/service account, and enable audit logging.
Someone with basic appointment details could potentially cancel or change another patient’s appointment.
The cancellation/rescheduling flow shows only weak appointment identification before a high-impact scheduling change, with no clear identity verification, staff approval, or rollback step.
"Can you tell me your name and the date of your current appointment?" ... "Your appointment on {date} has been cancelled."Require stronger verification, such as matching the original phone number, sending a one-time confirmation code, or routing cancellations/reschedules to staff approval.
Patients may rely on automated medical guidance that the skill itself claims it should not provide.
The README reassures users that the bot never gives medical advice, while the emergency script includes medication/first-aid guidance. That contradiction can cause unsafe over-trust.
"It never diagnoses, never gives medical advice" ... "For pain: Over-the-counter ibuprofen can help"
Remove medication and clinical treatment suggestions unless reviewed and approved by licensed clinicians, and route emergency symptoms to human staff or emergency services.
Patient names, contact details, and appointment service types may be visible to anyone with access to the configured calendar or messaging system.
The skill explicitly stores identifiable appointment details in Google Calendar and uses WhatsApp reminders. This is purpose-aligned, but it involves sensitive patient-related data moving between providers.
"Title: `{clinic_name} - {service} - {patient_name}`" and "Description: Patient phone + email"Use a private dedicated calendar, minimize details in event titles, define retention/access controls, and confirm the clinic’s privacy/HIPAA obligations before use.