Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ohif Deploy
v1.0.0Deploy OHIF medical imaging viewer with Docker, configure DICOMweb sources, SSL, and integrate servers like tbidea, orthanc, and DCM4CHEE.
⭐ 0· 284·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The README claims one-click deployment, SSL setup, support for multiple DICOM servers (tbidea, orthanc, DCM4CHEE) and AWS S3. The included deploy.sh only creates a minimal docker-compose.yml and a hosting.json with a single data source; it does not create nginx.conf, does not implement SSL, does not vary configuration per server type, and does not implement AWS S3. The declared purpose (production-ready, multi‑server integration, SSL) is not reflected in the actual script.
Instruction Scope
SKILL.md shows usage with flags (--datasource, --ssl, --domain) but deploy.sh expects positional args, so instructions and implementation diverge. More importantly, deploy.sh writes hosting.json with hard-coded wado/qido roots pointing to https://www.allhealthai.com/... and https://scnc.allhealthai.com:16010/..., meaning a deployed viewer will be configured to contact those third-party endpoints. That behavior is not documented as an intentional external integration in the README and could cause medical images/metadata to be sent to or fetched from those domains.
Install Mechanism
There is no install spec (instruction-only + a small shell script). The script writes docker-compose.yml and config/hosting.json into the current directory and creates a config folder — standard for a deploy helper. No remote code downloads or archive extraction occur.
Credentials
The skill requests no credentials, yet the produced configuration points to external third-party hosts (allhealthai.com). There is a claim of supporting AWS S3 in SKILL.md but no mechanism to supply S3 credentials. Hard-coded external endpoints are disproportionate and risky for a deployment helper for medical data because they could cause unintended data exposure without requiring explicit credentials.
Persistence & Privilege
The skill does not request permanent platform privileges (always: false) and does not modify other skills or global agent settings. It only writes files to the working directory when run.
What to consider before installing
Do not run this script on a machine that stores or has access to real patient data. Key concerns: (1) The script hard-codes wado/qido roots pointing to allhealthai.com domains — that will cause the OHIF viewer to contact these external servers and could expose PHI. (2) The README advertises SSL, domain handling, multiple server types and S3 support, but the script does not implement those features and does not create nginx.conf (it expects you to provide it). (3) Usage examples in SKILL.md use flags while the script expects positional args — the code may not behave as documented. Recommended actions before using: inspect and edit config/hosting.json to remove or replace external endpoints; provide your own nginx.conf and SSL configuration; test in an isolated environment; verify compliance with applicable data protection laws (e.g., HIPAA) and organizational policy; ask the author for clarification or an updated script that actually implements advertised features. If you cannot confirm the intent of the allhealthai endpoints, treat this as potentially unsafe.Like a lobster shell, security has layers — review code before you run it.
latestvk97fbn3m4vwj4499xbf2e9a1rx828c33
License
MIT-0
Free to use, modify, and redistribute. No attribution required.