Firm Medtech Pack
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent instruction-only medtech orchestration bundle, with no code execution, but users should be careful with patient data, session sharing, and optional skill installs.
Before installing, confirm you actually need multi-agent medtech workflows, review any companion skills you install, and do not process real PHI unless secure mode, anonymization, export restrictions, and audit logging are configured and tested.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with real patient or clinical data, sensitive information may enter prompts, outputs, workspaces, or session context unless the user configures safeguards correctly.
The skill is intended for workflows that may involve patient identifiers or adverse event reports; the artifact asks for anonymization, but handling of PHI remains a sensitive-data concern for the user environment.
objective: "Classify and triage Q4 adverse event reports against MDR Art. 87" ... constraints: ["read-only access", "anonymize patient identifiers in output"]
Use de-identified data where possible, verify anonymization before export, and ensure secure mode and audit controls are actually enabled in the runtime environment.
Clinical or regulatory context could be shared between agents/sessions if orchestration is used without clear boundaries.
The skill declares session communication and spawning capabilities, consistent with its orchestration purpose, but these tools can move context across agents or sessions.
tools:
- sessions_send
- sessions_spawn
- sessions_historyUse only trusted orchestration skills, confirm which sessions or agents receive data, and avoid passing PHI into shared sessions unless necessary and controlled.
Installing the recommended companion skills could add new code, tools, credentials, or data flows not assessed here.
The skill recommends installing additional skills via an unpinned latest CLI command; this is user-directed and purpose-aligned, but those external skills are not part of this artifact review.
npx clawhub@latest install academic-research ... npx clawhub@latest install firm-orchestration
Review each companion skill separately and consider pinning trusted versions before using them in regulated workflows.
Users could overestimate the amount of built-in compliance protection if they do not separately configure and verify these settings.
The skill gives security/compliance setup guidance, but there is no code or install mechanism in the provided artifacts that enforces these controls.
PHI (Protected Health Information): `SECURE_PRODUCTION_MODE=true` mandatory ... Audit trail required by 21 CFR Part 11: `AUDIT_ENABLED=true`
Treat these as setup requirements, not guarantees; confirm runtime policy blocking, audit logging, and PHI controls before production use.