Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Fda Consultant Specialist
v2.1.1FDA regulatory consultant for medical device companies. Provides 510(k)/PMA/De Novo pathway guidance, QSR (21 CFR 820) compliance, HIPAA assessments, and dev...
⭐ 0· 1.5k·6 current·6 all-time
byAlireza Rezvani@alirezarezvani
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, and included reference documents align with an FDA regulatory consultant skill. There are no declared environment variables, binaries, or config paths that are unrelated to the stated purpose. The included guidance and references (510(k), QSR, HIPAA, cybersecurity) are appropriate for the described function.
Instruction Scope
The SKILL.md content (the runtime instructions) appears narrowly scoped to providing regulatory guidance and checklists and does not direct the agent to read system files, environment variables, or external endpoints. However, the skill bundle contains three Python scripts (fda_submission_tracker.py, hipaa_risk_assessment.py, qsr_compliance_checker.py). The SKILL.md does not explicitly describe how/when these scripts will be executed or what data they access, which is a gap between instructions and included code.
Install Mechanism
No install spec is provided (instruction-only install), so nothing additional is automatically downloaded or written to disk during install. This lowers risk compared with skills that fetch remote archives or install packages at runtime.
Credentials
The skill does not request environment variables, credentials, or config paths. That is proportionate to a consulting/advisory skill. The only potential concern is if the included scripts attempt to access secrets or PHI at runtime — that behavior is not observable from the manifest and must be audited in the script code.
Persistence & Privilege
always is false and the skill does not request any elevated or persistent system privileges. Autonomous invocation is allowed (the platform default), which is normal for skills; this by itself is not a red flag.
What to consider before installing
The human-readable guidance and reference docs are consistent with an FDA consultant skill, but you should NOT install or enable this skill without first inspecting the three bundled Python scripts. Specifically: 1) Open scripts/fda_submission_tracker.py, scripts/hipaa_risk_assessment.py, and scripts/qsr_compliance_checker.py and search for: network calls (requests, urllib, http, socket), subprocess usage, os.environ access, file system paths (e.g., /etc, ~/, /var), hardcoded URLs or credentials, or obfuscated/encoded strings. 2) If you lack the ability to audit code, request the source from the publisher and ask for provenance (who authored it, version control URL, license). 3) Run the scripts in an isolated sandbox/container with network disabled to observe behavior before granting the agent access to any environment containing PHI or secrets. 4) If you plan to allow autonomous invocation, be extra cautious: autonomous execution + unknown scripts increases blast radius. If the scripts are benign (only produce templates/checklists and local reports) the skill is likely safe; if they contact external endpoints or read environment variables/PHI, consider rejecting or requiring code changes. Because the actual script contents were not provided in the SKILL.md excerpt, my assessment is medium-confidence — reviewing the three Python files is the key next step.Like a lobster shell, security has layers — review code before you run it.
latestvk977j7xwy3287vr9vtnxdvkkn182jk17
License
MIT-0
Free to use, modify, and redistribute. No attribution required.