Dont Deal Triage
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches its stated chest-pain triage purpose and shows no exfiltration, but it does run bounded local commands and can persist sensitive local health/work-pattern summaries.
This appears reasonable for a local-first emergency triage helper, but install it only if you are comfortable with it running bundled Node scripts, checking active git commit timing, and storing local health/work summaries under ~/.dont-deal. Do not share generated snapshots or event files unless you have reviewed them, and treat the skill as support for seeking care rather than a medical diagnosis.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When the skill is invoked, it may run local commands to inspect git commit timing and parent-process context.
The skill can execute local binaries through execFile. In the provided code this is used for bounded git and ps commands that support the stated fatigue/host-context purpose.
export async function runCommand(command, args, options = {}) { const { stdout, stderr } = await execFile(command, args, { encoding: "utf8", ...options });Install only if you are comfortable with the bundled Node scripts running local git/ps checks, and keep command execution limited to the included scripts.
Chest-pain triage answers, risk factors, or event history may remain on disk and be reused in later sessions.
The CLI is designed to load profile data and write triage events locally. Because the subject matter is health symptoms and risk factors, even local JSON persistence is sensitive.
import { loadProfile, appendEvent } from "./profile-store.js"; ... "This result has been written to local events.json."Before using saved profiles/events, confirm where ~/.dont-deal is stored, who can read it, how to delete it, and whether explicit consent is required before saving health details.
The local snapshot can reveal that certain provider credentials are present in the environment, though not the credentials themselves.
Host detection checks whether common provider API-key environment variables exist and records matched signal names. The code does not read or output the secret values.
"ANTHROPIC_API_KEY" ... "OPENAI_API_KEY" ... const matchedKeys = rule.matches.filter((key) => Boolean(env[key]));
Avoid sharing generated snapshots publicly, and keep the implementation constrained to detecting variable presence rather than reading credential values.
Users may not realize from metadata alone that the skill needs a local Node runtime and may inspect local git/host context.
The registry metadata provides limited provenance and does not declare runtime binaries, while the artifacts include Node scripts that may call git and ps.
Source: unknown; Homepage: none; Required binaries (all must exist): none; Install specifications: No install spec
Review the bundled scripts and install from a trusted ClawHub version; maintain metadata that declares Node and optional git/ps usage.