ClawHub

Medical Auditor

v1.0.0

Audits hospital surgical logs against billing to find revenue leakage.

0· 217·0 current·1 all-time
bySrikanth@srikanth-hn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description (audit surgical logs against billing) line up with the instructions (find hospital_logs.json, extract notes and billed items, compare, report). No unexpected binaries, installs, or credentials are requested.
!
Instruction Scope
Runtime instructions tell the agent to read hospital_logs.json from the workspace and extract Surgeon Notes/Procedure Summary — this is appropriate for the task but the file likely contains protected health information (PHI). The skill also directs drafting a WhatsApp message to a Hospital Administrator requesting approval to update bills, which introduces a path for sensitive data to be formatted for external transmission. There are no safeguards (de-identification, consent, logging, or explicit human-review step) and no limitation on what fields to include in the drafted message.
Install Mechanism
Instruction-only skill with no install spec or code files — lowest installation risk. Nothing is written to disk by the skill itself beyond normal agent behavior.
!
Credentials
No environment variables or external credentials are requested, which is consistent if the skill only drafts content locally. However, the skill's intended workflow (drafting messages to an external administrator) deals with PHI and would normally require explicit handling/authorization and possibly external messaging credentials if automated sending were added. The skill does not declare any privacy or compliance controls despite handling sensitive data.
Persistence & Privilege
always is false and the skill is user-invocable. Autonomous invocation is allowed (platform default) — that is not flagged alone, but processing PHI with autonomous invocation increases risk. The skill does not request persistent system-wide privileges or to modify other skills' configurations.
What to consider before installing
This skill is coherent for an auditing task but it reads files that likely contain protected health information and prepares messages intended for external communication. Before installing or running it: 1) Ensure you have legal/organizational authorization to process these records (HIPAA/other regs). 2) Only run the skill in a secure, access-controlled workspace and avoid placing raw PHI in the agent workspace; consider using de-identified or test data. 3) Require a manual review step before any message is sent or any billing update is performed — do not allow automatic sending to WhatsApp or other external channels. 4) Verify audit trail/logging and who can view generated reports/messages. 5) If you need the skill to contact administrators automatically, require explicit, documented credentials and privacy controls and add de-identification/consent steps. If you cannot confirm these safeguards, treat the skill as unsafe for production use with real patient data.

Like a lobster shell, security has layers — review code before you run it.

latestvk9728qs68pzy7qbcgck2bwtmfd82fj6j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments