Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Health Checkup Recommender
v4.1.9AI 智能健康体检推荐服务。严格依据《国家卫建委成人体检指引(2025版)》、BMJ及国家癌症中心最新流行病学数据,为您提供具有权威循证医学支撑的个性化体检方案。覆盖全国220城市数百家体检机构预约。二维码预约需用户明确同意。
⭐ 1· 263·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description, the reference JSON files (checkup_items, evidence mappings, risk tables), and scripts (verify_items, calculate_prices, generate_qr*) all align with a personalized health checkup recommendation and booking workflow. No unrelated environment variables or binaries are required and the only declared third-party domain (ihaola.com.cn) matches the booking/QR functionality.
Instruction Scope
SKILL.md explicitly instructs the agent to read local reference JSON files, run validation and pricing scripts, and (with user consent) generate/send a QR that links to ihaola.com.cn. The frontmatter and docs state scripts only send de‑identified item IDs and require explicit user consent before sending QR codes. However some implementation details (network calls inside scripts like sync_items.js) were not fully listed in the prompt; the overall behavior (outbound API calls to sync/prefill booking parameters) is consistent with the stated purpose but depends on those scripts adhering to the claimed privacy constraints.
Install Mechanism
This is effectively instruction-only for runtime, and included package.json lists only the qrcode npm dependency. There is no download-from-arbitrary-URL or complex install step in the manifest. Scripts are shipped with the skill package (no external installers observed), so install risk is low.
Credentials
The skill does not request secrets or unusual environment variables. config/api.js uses NODE_ENV (a standard non-secret var) to pick dev/prod endpoints. No API keys, tokens, config paths, or filesystem credentials are declared or required in the metadata.
Persistence & Privilege
always is false; skill is user‑invocable and can be invoked autonomously per platform default. There is no indication it writes to other skills' config or requests permanent elevated presence. The fallback/default QR behavior is local to the skill and documented.
Assessment
This skill appears coherent for recommending checkup packages and creating booking QR codes that point to ihaola.com.cn. Before installing or using it with real users, verify the following: 1) inspect scripts/sync_items.js and generate_qr_with_fallback.js to confirm they only send de‑identified item IDs (no names, phone numbers, ID numbers, or other PII) to the remote API; 2) confirm the skill will always ask explicit user consent before generating/sending any QR image (SKILL.md says it will, but validate the implementation); 3) run the included validate_skill.js / SECURITY_AUDIT.md checks locally and observe network traffic (or review code) to ensure no hidden telemetry or unexpected endpoints are contacted; 4) note that the fallback uses public default parameters (default_welfare/default_rule) — understand the user experience when API personalization fails; and 5) if you require stronger guarantees, request the author publish the full code of network-facing scripts (sync_items.js) or perform an independent code audit to ensure no PII exfiltration. Overall the package is internally consistent, but the privacy guarantees rely on the implementation of a few networked scripts — review them before trusting with sensitive user interactions.scripts/validate_skill.js:19
Shell command execution detected (child_process).
scripts/validate_skill.js:18
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
checkupvk97f9w21kbmkb4hfqvzbywwc1d84370dhealthvk97f9w21kbmkb4hfqvzbywwc1d84370dlatestvk976vfzfgpm86hv2np5qn7qgc184b4bvmedicalvk97f9w21kbmkb4hfqvzbywwc1d84370drecommendationvk97f9w21kbmkb4hfqvzbywwc1d84370d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.