ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

CareMax Records

v1.0.0

Query and search medical records from CareMax Health API. Supports structured query, AI-powered semantic search with RAG (natural language answers with citat...

0· 101·0 current·0 all-time
byQitao Yang@kittenyang

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for kittenyang/caremax-records.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "CareMax Records" (kittenyang/caremax-records) from ClawHub.
Skill page: https://clawhub.ai/kittenyang/caremax-records
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install caremax-records

ClawHub CLI

Package manager switcher

npx clawhub@latest install caremax-records
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to query CareMax Health API and all SKILL.md examples call an API endpoint; that fits the stated purpose. However, the skill does not declare any required credentials or a primaryEnv even though it requires authenticated access via a sibling repo (../caremax-auth). The external dependency is coherent with the purpose but should have been declared and linked.
!
Instruction Scope
Runtime instructions require executing scripts in a sibling directory (../caremax-auth/scripts/api-call.sh and auth-flow.sh). Those external scripts are mandatory and run shell commands, may prompt for or store credentials, and are outside the visibility of this skill bundle. The SKILL.md also instructs forwarding user medical queries to a remote API and saving chats remotely — expected for this skill but high-risk for PHI if endpoints or auth are not verified.
Install Mechanism
There is no install spec and no code files in this skill (instruction-only). That reduces the immediate attack surface in the skill itself, but the mandatory dependency on an out-of-tree sibling package (caremax-auth) shifts risk to that external code.
!
Credentials
The skill lists no required environment variables or primary credential, yet the SKILL.md implicitly depends on authentication performed by ../caremax-auth. For a medical-records integration it is unusual and concerning not to declare what credentials or base_url will be used; the auth scripts could access or request arbitrary secrets.
Persistence & Privilege
The skill does not request 'always: true' or other elevated persistent privileges and remains user-invocable. It does not declare modifying other skill configs. Autonomous invocation is allowed (platform default) but not by itself a new concern here.
What to consider before installing
Do not install or run this skill until you verify the external auth package it requires (../caremax-auth). The SKILL.md mandates running sibling scripts that will perform authentication and API calls — those scripts could prompt for, store, or transmit sensitive credentials and medical data. Ask the publisher for a source URL or repository, inspect the caremax-auth/scripts (especially auth-flow.sh and api-call.sh) to see where credentials are read, stored, or sent, and confirm the API base_url and hostname are legitimate and HIPAA-compliant if you will handle PHI. If you cannot inspect the sibling repository, avoid using this skill with real patient data; test only with synthetic data and consider requiring explicit declaration of required env vars (API keys, base_url) before trusting it.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ac6yvrdtebxdjqvdyc1wnjn83v12q
101downloads
0stars
1versions
Updated 4w ago
v1.0.0
MIT-0
Qitao Yang@kittenyang
latest
Download

CareMax Medical Records

Requires caremax-auth as a sibling directory (../caremax-auth/). If missing, tell the user to install caremax-auth first (e.g. npx skills add KittenYang/caremax-skills).

Prerequisites — Auto-Auth (MANDATORY)

APICALL="bash ../caremax-auth/scripts/api-call.sh"

If api-call.sh returns {"error":"no_credentials",...}immediately run bash ../caremax-auth/scripts/auth-flow.sh [base_url] (from this skill’s root).

Smart Search (Recommended)

Use searchText for natural language queries. Backend runs 4-layer search:

  1. LLM keyword extraction (maps "喝酒" → "ALDH2 酒精代谢")
  2. LIKE search on report titles, summaries, sections, indicators
  3. Semantic vector search (BGE-M3 → Zilliz)
  4. RAG: DeepSeek-V3.2 generates natural language answer with citations
$APICALL POST /api/skill/records/query '{"searchText":"我有哪个基因不能喝酒"}'
$APICALL POST /api/skill/records/query '{"searchText":"我猝死的概率大吗"}'
$APICALL POST /api/skill/records/query '{"searchText":"降压药建议"}'
$APICALL POST /api/skill/records/query '{"searchText":"MTHFR"}'

Response:

{
  "type": "search",
  "query": "...",
  "data": [...],              // matched records (enriched)
  "totalCount": 1,
  "semanticHits": [           // vector similarity top-10
    {"text": "...", "score": 0.61, "recordId": "xxx"}
  ],
  "rag": {                    // AI natural language answer
    "answer": "根据您的基因检测报告...[来源1][来源2]",
    "citations": [
      {"index": 1, "source": "脑梗塞风险评估", "relevance": "高"}
    ]
  }
}

Display the rag.answer to the user. It contains the direct answer with citation references.

Structured Query

# By date range
$APICALL POST /api/skill/records/query '{"dateRange":["2025-01-01","2025-12-31"]}'

# By indicator name
$APICALL POST /api/skill/records/query '{"indicatorName":"血红蛋白"}'

# By report title
$APICALL POST /api/skill/records/query '{"reportTitle":"血常规"}'

# By record ID (single record detail)
$APICALL POST /api/skill/records/query '{"recordId":"uuid"}'

# By member + pagination
$APICALL POST /api/skill/records/query '{"memberId":"member-uuid","page":1,"limit":20}'

Report Types

The system handles multiple report types:

  • lab: Standard lab reports (indicators with name/value/unit/reference_range)
  • genetic: Gene testing reports (sections with gene/SNP/genotype/risk_level)
  • imaging: Radiology reports (sections with location/finding/impression)
  • pathology: Pathology reports (sections with tissue/grade/staging)
  • other: Any other medical document

Non-lab reports have report_type, summary, and sections[] fields instead of indicators[].

AI 对话(推荐)

使用 /api/skill/chat 进行 AI 对话。所有对话自动保存到历史记录。

# 提问(自动搜索 + RAG + 保存历史)
$APICALL POST /api/skill/chat '{"question":"我有哪个基因不能喝酒"}'
$APICALL POST /api/skill/chat '{"question":"我的降压药应该怎么吃"}'

# 针对某份报告提问
$APICALL POST /api/skill/chat '{"question":"这份报告有什么建议","recordId":"uuid"}'

Response:

{
  "id": "chat-uuid",
  "question": "...",
  "answer": "根据您的报告...[来源1]",
  "citations": [{"index":1,"source":"...","relevance":"高","quote":"原文..."}],
  "recordId": null,
  "created_at": "..."
}

Display the answer to the user. Citations contain original report text.

# 获取历史记录
$APICALL GET /api/skill/chat/history

# 删除单条
$APICALL DELETE /api/skill/chat/<chat_id>

# 清空所有
$APICALL DELETE /api/skill/chat

Recommended Workflow

User: "我的基因检测报告说了什么"

$APICALL POST /api/skill/chat '{"question":"我的基因检测报告说了什么"}'

User: "show my recent check-up results"

$APICALL POST /api/skill/records/query '{"dateRange":["2025-01-01","2025-06-30"]}'

User: "我的降压药应该怎么吃"

$APICALL POST /api/skill/chat '{"question":"我的降压药应该怎么吃"}'

Comments

Loading comments...