ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

PathClaw

v1.0.2

使用华银康集团 PathClaw 对病理切片进行泛癌预测。具体流程包括:运行病理切片诊断,包括:(1)从登录 API 获取认证 token;(2)使用 slide_file 启动诊断任务;(3)获取诊断结果。触发短语:"病理切片诊断"、"pathology diagnosis"、"PathClaw"等。**注意*...

0· 28·0 current·0 all-time
by@t-programmer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the instructions (login → upload .svs → poll results). No declared credentials or env vars are required, which aligns with the instruction that the agent obtains a token from the service. However the target is a raw IP (http://119.91.47.20:8111) with no hostname, no HTTPS, and the package has no homepage or source provenance; that makes it hard to verify that the endpoint belongs to the claimed vendor (华银康集团).
!
Instruction Scope
The SKILL.md explicitly instructs reading a user-supplied local file and uploading it to the remote service — this is expected for an upload-based diagnosis skill, but it also means the agent will access arbitrary file paths on the host. The instructions require multiple local file checks (existence, readability, size, extension) which are coherent, but there is no guidance about handling PHI, consent, or which metadata to remove before upload. Also the login call is shown as an unauthenticated HTTP POST with no request body specified, which is ambiguous and may cause implementations to behave unexpectedly.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. Nothing is written to disk by an installer.
!
Credentials
No environment variables or credentials are requested, which is consistent with the workflow that obtains a token from the remote API. However, requiring no local credentials while instructing the agent to upload potentially sensitive medical images to an external HTTP IP is a privacy risk. The skill also gives no instructions about verifying the server identity or TLS, nor does it require the user to supply a trusted endpoint or API key — this lowers accountability for where data is sent.
Persistence & Privilege
always:false and no special persistence requested. The skill does not request elevated platform privileges and does not attempt to modify other skill configs.
What to consider before installing
This skill will read a local pathology slide file you provide and upload it to http://119.91.47.20:8111 over plain HTTP. Before using it, verify the endpoint actually belongs to the vendor (ask for an official domain and TLS), confirm you have patient consent to transmit the image, and prefer HTTPS. Ask the skill author how the login works (what credentials, request body) and how patient identifiers are handled or redacted. Test first with a non-sensitive dummy file. If you cannot confirm the server's identity, do not use this skill for real patient data.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cjq5pn9gah9hca0ak616srs84451x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

概述

针对服务器 http://119.91.47.20:8111/ 执行 3 步病理切片诊断工作流。

工作流程

前置要求

用户必须提供病理切片文件路径(.svs 格式)。若用户未提供,须询问:

请提供病理切片文件路径,例如:C:\path\to\slide.svs

第一步:获取认证 Token

curl -X POST http://119.91.47.20:8111/api/user/login

从响应中提取 data.token。此 token 必须包含在后续请求的 Authorization: Bearer <token> 请求头中。

第二步:启动诊断任务

重要:上传文件必须为 .svs 格式。若校验失败,须终止操作并提示用户: 该文件不是有效的病理切片格式(应为 .svs 格式)

文件校验规则(执行上传前必须全部通过)

  1. 文件路径必须存在,且为普通文件(非目录)。
  2. 文件必须可读(当前进程有读取权限)。
  3. 文件大小必须大于 0 字节。
  4. 后缀名必须是 .svs(大小写不敏感,如 .SVS 也允许)。
  5. 任一校验失败都必须立即终止,不得继续调用诊断接口。

验证失败示例:C:\Users\HYK\Desktop\SKILL.md → 提示 该文件不是有效的病理切片格式(应为 .svs 格式)

curl -X POST http://119.91.47.20:8111/api/v1/diagnosis/run \
  -H "Authorization: Bearer <token>" \
  -F "slide_file=@/path/to/slide_file"

响应中包含 data.slide_id,保存此 ID 用于下一步。

第三步:获取诊断结果

启动诊断后等待 10 秒,然后请求:

curl -X GET http://119.91.47.20:8111/api/v1/diagnosis/<slide_id>/result \
  -H "Authorization: Bearer <token>"

ai_diagnosis_status 状态码

状态码含义
0未知
1排队中
2队列中
3分析中
4分析成功
5分析失败

安全与异常处理要求

  1. Token 安全

    • 日志中禁止输出完整 token。
    • 如需调试,仅允许脱敏输出(例如前 6 位 + ***)。

  2. 网络与超时

    • 每次 HTTP 请求必须设置超时(建议连接超时 10 秒、读取超时 60 秒)。
    • 超时或网络错误时最多重试 2 次(指数退避:1s、2s)。
    • 超过重试上限后返回明确失败信息并停止流程。

  3. HTTP 状态码处理

    • 2xx:按正常流程解析。
    • 401/403:提示认证失败或 token 失效,终止流程。
    • 4xx:提示请求参数错误(包含文件或接口参数问题),终止流程。
    • 5xx:提示服务端异常,可按重试策略重试,失败后终止。

  4. 结果状态处理

    • 当状态为 1/2/3:继续轮询。
    • 当状态为 4:输出最终诊断结果。
    • 当状态为 5:输出“分析失败”及返回错误信息,终止流程。
    • 当状态为 0 或未知值:按异常状态处理并终止流程。

API 概要

步骤方法端点认证请求体
1. 登录POST/api/user/login
2. 启动诊断POST/api/v1/diagnosis/runBearer tokenslide_file (multipart)
3. 获取结果GET/api/v1/diagnosis/{slide_id}/resultBearer token

输出规范

执行过程中须按以下规范输出:

  1. 初始化阶段:输出 正在确认用户信息及状态...
  2. 上传与调用阶段:输出 已完成用户信息确认。\n调用 **华银康集团 PathClaw 服务** 进行泛癌预测。
  3. 推理等待阶段:首次轮询输出 切片已完成上传,正在推理中...
    • 若进入第二次及后续轮询,输出 结果仍在推理中,请您耐心等待...
  4. 最终诊断结果分析:纯文本 + 无序列表输出,模板如下:
  • 当前切片已完成推理。该切片 {{file_name}} 经过 华银康集团 PathClaw 服务 辅助诊断,提示"{{diagnosis_result}}",建议进一步做病理复查或免疫组化检测以明确诊断。
  • 热力图请点击查看以下链接:{{short_link}}
  • 本次AI辅助诊断结果仅供参考,不构成最终诊断建议。最终诊断应由专业医师结合临床情况及其他检查结果进行判断。

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…