Pluginv0.1.6

ClawScan security

左手医生 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 10:29 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches its medical assistant description, but it asks users to provide an API key via chat as a fallback and includes code that auto-modifies the host OpenClaw configuration (openclaw.json) — behaviors that warrant caution before installing.
Guidance: This skill appears to be a genuine AI doctor integration, but exercise caution: 1) Do not send your Zoe/OpenClaw API key in a public or group chat. Prefer configuring the API key in the OpenClaw admin/config UI rather than pasting it into conversations. 2) The skill will attempt to write to your OpenClaw configuration file (openclaw.json) to enable its tools for all agents — back up openclaw.json before installing and review diffs after installation; only allow this if you (or your admin) approve global config changes. 3) The skill stores a device_id in plugin state and will send requests to a remote backend using the provided API key; confirm you trust the vendor and review their privacy/security policy before uploading personal health data or test reports. 4) If possible, install and test in an isolated environment or with a dedicated agent/account to limit blast radius. 5) If you want lower risk, ask the publisher to remove the chat-API-key fallback and to require explicit admin consent for openclaw.json modifications; request documentation of exactly what the installation command does (and the backend endpoints/baseUrl it calls).
Findings: [unicode-control-chars] expected: The pre-scan flagged unicode control characters. The code contains a THOUGHT_FLUSH_MARKER constant set to U+200B (zero‑width space) used to mark streaming/thought flush boundaries. That usage is plausible for a streaming assistant, but zero‑width/control characters embedded in prompts can also be abused for prompt-injection, so the presence should be noted.

Review Dimensions

Purpose & Capability: noteThe name/description (AI medical Q&A, report parsing, patient records) aligns with the packaged code: the code contains backend client, patient/session management, channel adapters, and tools for consult/manage. There are no unrelated required env vars or external binaries. However, the skill requires a Zoe backend API key (stored in OpenClaw config) even though registry metadata lists no required env vars — this is implemented via host config rather than environment variables, which is reasonable but should be highlighted.
Instruction Scope: concernSKILL.md explicitly suggests the user can paste the Zoe API key into chat as a fallback if they cannot configure it in the OpenClaw backend. Encouraging users to send secret keys via chat is a risky instruction (exfiltration/accidental sharing risk) and is not necessary if the API key can instead be set in the host configuration. The runtime code also reads and writes local host files (openclaw.json, plugin state/device_id), and handles user uploads (reports/photos) — those actions are within the medical purpose but expand the attack surface and privacy surface (personal health data, attachments, and secrets handled via chat).
Install Mechanism: okNo external install/download spec is present; the package includes compiled JS files bundled with the skill. There are no URL downloads, URL shorteners, or archive extraction steps in the manifest. This is lower-risk from an installer perspective.
Credentials: noteThe skill does not request unrelated system credentials. It uses an API key (config.api_key) for the Zoe backend, which is proportionate for a service that talks to a remote medical backend. However, SKILL.md advising users to paste API keys into chat greatly increases risk of credential leakage. The code writes/reads plugin state (device id file) and host config (openclaw.json) but does not demand arbitrary system secrets — still, modifying global host config could expose or enable broader access and should be considered sensitive.
Persistence & Privilege: concernThe code intentionally modifies the host OpenClaw configuration (ensureZoeTools writes to openclaw.json to add Zoe tools to top-level and to all agents). Modifying a global host config and adding tools to all agents is a privileged action that affects other agents' tool allowances. While this may be intended to ensure functionality, it is a broad change to the host environment and should be made transparent and authorized by the user/administrator before proceeding.