ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Medical Unit Converter

v1.0.0

Convert medical laboratory values between units (mg/dL to mmol/L, etc.) with formula transparency and clinical reference ranges. Supports glucose, cholestero...

0· 45·0 current·0 all-time
byAIpoch@aipoch-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description match the script's behavior: a local converter for laboratory analytes. However SKILL.md documents 4 analytes/8 pairs while the script implements 9 analytes/16 conversion pairs (additional analytes: triglycerides, urea, calcium, sodium, potassium). This is a coherence/documentation mismatch but not evidence of malicious intent.
Instruction Scope
SKILL.md and the script stay within the stated purpose (parse CLI args, perform arithmetic, return JSON). No file reads beyond the script, no network calls, no env/credential access. Notable divergence: SKILL.md expects output field names like converted_value and a 'formula' field, but scripts/main.py returns output_value, input_value, input_unit, output_unit and does not include a formula field. That mismatch could break callers or automated agents following the SKILL.md contract.
Install Mechanism
No install spec and no external packages beyond Python standard library. Script is small and self-contained, so install risk is low.
Credentials
The skill requests no environment variables, credentials, or config paths and the code does not access any secrets or external services.
Persistence & Privilege
Skill does not request always:true, does not modify agent/system configuration, and has no persistent presence requirements.
Scan Findings in Context
[DOC_IMPL_MISMATCH_ANALYTES] unexpected: SKILL.md documents 4 analytes but scripts/main.py implements 9 analytes (additional: triglycerides, urea, calcium, sodium, potassium). This is a documentation/consistency issue that may surprise users or integrators.
[OUTPUT_SCHEMA_MISMATCH] unexpected: SKILL.md specifies output fields (converted_value, formula) while the script outputs input_value, output_value, input_unit, output_unit and omits a 'formula' field. Agents or code that rely on the documented schema may fail.
[UNDOCUMENTED_BEHAVIOR_SUPPORTED_PAIRS] unexpected: SKILL.md lists a Supported Conversions table with 8 pairs but the script contains 16 entries. The audit artifact also flags differences in field names (e.g., converted_value vs output_value).
What to consider before installing
This skill appears to be a straightforward, local medical-unit converter and does not access the network or secrets — that part is benign. However, there are important mismatches between the documented contract (SKILL.md) and the included script: the script supports more analytes than the documentation lists, and the JSON output field names differ (script uses output_value/input_value, SKILL.md expects converted_value/formula). Before installing or integrating: 1) ask the author to update SKILL.md to match the script (supported analytes, exact output schema, and whether a formula field is present); 2) run the provided quick-check (python -m py_compile scripts/main.py and a few sample conversions) to confirm output shape and reference ranges; 3) if you will call the script programmatically, adapt your code to the script's actual JSON keys or request the script be changed to the documented schema; 4) because this is a medical utility, do not use it for clinical decision-making without independent verification of reference ranges and factors; 5) prefer a published source/homepage or signed maintainer if you will rely on it in production. These fixes will address the coherence issues; there is no sign of network exfiltration or secret access in the code.

Like a lobster shell, security has layers — review code before you run it.

latestvk979bc7eq5yn3ek1fmx5f9tk9s83q7qb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments