Health Checkup Recommender
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is mostly aligned with health checkup recommendations, but its documents conflict about whether health/customer information may be shared with third-party or human-support systems.
Before installing, be aware that this skill collects health-related details and may contact ihaola services to create booking codes. Do not share name, phone number, ID number, or detailed medical history unless you intentionally want booking or human-support handoff, and ask for explicit confirmation of exactly what will be sent.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your health-related context or customer profile could be shared outside the chat for human support.
This describes transferring a customer profile and AI summary to another service or human-support system. For a health-related skill, that can include sensitive user context, and the artifacts do not clearly bound fields, consent, retention, or destination trust.
AI 通过 ocean-thread/v1 协议无缝转接至 ocean-desk 人工坐席——附带完整的客户画像和 AI 推荐摘要
Use the human handoff only after explicit opt-in, and ask what exact fields will be sent, where they go, and how long they are retained.
Users may misunderstand what personal or health-related data can leave the chat.
This strong privacy claim is inconsistent with README.md's described ocean-desk transfer of customer_profile and AI summary. The inconsistency could lead users to trust that no personal information is shared when another artifact describes a broader transfer path.
仅一个脚本发起网络请求:`scripts/sync_items.js` ... **绝不传输**:姓名、手机号、身份证号或任何 PII 数据
The publisher should reconcile the privacy statements and explicitly disclose all external data flows, including optional support handoff fields.
Even without name or phone number, selected health-check items may reveal sensitive interests or symptoms.
The booking flow sends recommended checkup item IDs to the ihaola provider. This is disclosed and purpose-aligned for generating booking codes, but the item choices can still reveal health-screening interests.
POST https://pe.ihaola.com.cn/skill/api/recommend/addpack ... { "itemIds": ["HaoLa01", "HaoLa12", "HaoLa57"] }Confirm you want booking/QR generation before allowing the provider sync, especially for sensitive tests.
Installing or using the skill may cause local scripts to run and a provider API to be contacted.
The skill expects the agent to run local Node scripts and one network-sync script as part of its workflow. This is central to the stated purpose, but users should notice that it is not purely conversational.
项目验证(强制):调用 `node scripts/verify_items.js` ... 价格计算(强制):调用 `node scripts/calculate_prices.js` ... 调用 `node scripts/sync_items.js`
Review the scripts before use and only proceed if you are comfortable with local execution and provider booking integration.
The skill depends on npm packages and local Node execution despite being listed as instruction-only in registry metadata.
The registry says there is no install spec, but the skill documentation requires npm dependency installation. The lockfile reduces dependency ambiguity, so this is a notice rather than a standalone concern.
运行时依赖:需在环境中执行 `npm ci` ... 基于 `package-lock.json` 安装确保依赖树的一致性
Install dependencies from the included lockfile and avoid substituting unreviewed package versions.