Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
ai-medical-care-manager
v1.0.0面向C端门诊就医全流程。先做症状分流和挂号科室判断,再推荐医院/医生 Top 3,并继续完成挂号引导、就医准备卡、提醒、诊后解释,以及基于高德地图的到院路线规划。
⭐ 0· 70·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match what is implemented: Python scripts perform triage, parsing, reminders, and pre-visit card generation; Node scripts handle AMap geocoding, IP locate and route link generation. Required binaries (python3, node) and axios dependency are expected for these tasks. The large CSV asset is appropriate for hospital/doctor matching.
Instruction Scope
SKILL.md confines runtime actions to the skill's files (scripts and references) and to calling AMap web services for mapping. It instructs optionally attempting IP-based coarse location if the agent can obtain a user IP — the node ip-locate script requires an explicit --ip argument, so there is no hidden automatic network probing. Be aware that if you provide user location/address or IP, those values are sent to AMap endpoints (external service) for geocoding/route planning.
Install Mechanism
Install spec only pulls in the npm package 'axios' (declared in package.json) — a minimal and expected runtime HTTP client. There are no downloads from arbitrary URLs or archives; no high-risk install actions detected.
Credentials
The skill does not declare required env vars in registry metadata, but the code and SKILL.md use optional AMAP_WEBSERVICE_KEY / AMAP_KEY for routing. Requesting an AMap Web Service key is proportionate to offering route planning. One thing to note: the vendor code can persist a provided key to a local config file (scripts/vendor/config.json), which stores the key on disk; this is a design choice (convenience) but worth knowing for secret handling.
Persistence & Privilege
The skill does not request always: true, does not modify other skills, and only persists its own config (vendor/config.json) if the developer helper functions are used. Files written are limited to the skill directory and are within expected scope.
Assessment
This skill appears to do what it says: run local Python/Node scripts to triage symptoms, parse appointment text, produce a pre-visit card and reminders, and — if you supply an AMap key — call AMap web services to geocode and plan routes. Before installing, consider: (1) Privacy: any location string or IP you supply will be sent to AMap (restapi.amap.com) and generated map links embed route data in a public AMap demo URL — avoid sending extremely sensitive personal data to external map services. (2) Key storage: if you provide a Web Service Key via the skill helper, it may be saved to scripts/vendor/config.json in the skill folder; treat that file as sensitive. (3) IP suggestion: the skill only uses IP if you explicitly provide it; do not pass real user IPs if you do not want coarse location shared. (4) No other external credentials are requested and no hidden network hosts or obfuscated code were found. If you need stronger guarantees, ask the author to (a) declare AMAP_* env vars in the registry metadata as optional, (b) document where keys are persisted and allow opting out of on-disk storage, and (c) confirm the a.amap.com map visualization URL's use of query data.scripts/amap_geocode.js:19
Environment variable access combined with network send.
scripts/amap_ip_locate.js:31
Environment variable access combined with network send.
scripts/vendor/amap_index.js:59
Environment variable access combined with network send.
scripts/vendor/amap_index.js:14
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97e0sc2st3z7zwx7t55ttd5sn8385vz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🏥 Clawdis
Binspython3, node
Install
Node
npm i -g axios