Ohif Deploy
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This looks like an OHIF deployment helper, but the script hard-codes an external medical-imaging data source and advertises custom SSL/source options it does not actually implement.
Do not run this as-is for real medical data. First inspect deploy.sh, replace the hard-coded DICOMweb URLs with your intended server, pin Docker image versions, create a real nginx/SSL configuration, and verify what ports will be exposed.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A deployed viewer may connect to an unexpected external medical-imaging service instead of the user's intended DICOM server.
The generated OHIF configuration points the medical imaging viewer to specific external DICOMweb endpoints, while the skill description does not clearly disclose this provider or data boundary.
"wadoUriRoot": "https://www.allhealthai.com/HealthRecordCenter", ... "qidoRoot": "https://www.allhealthai.com/HealthRecordCenter", ... "wadoRoot": "https://scnc.allhealthai.com:16010/HealthRecordCenter"
Review and replace the DICOMweb URLs before deployment, especially when handling patient or medical imaging data.
Users may believe they are deploying a customized or SSL-enabled production setup when the generated files do not provide that behavior.
The documented flag-based custom datasource and SSL workflows do not match the provided script, which only reads positional arguments and does not create SSL/domain configuration.
./deploy.sh --datasource tbidea --port 3000 # Deploy with SSL ./deploy.sh --ssl --domain your-domain.com
Treat the README usage as unreliable until the script is updated to implement the documented flags and SSL configuration.
The deployed software could change unexpectedly over time as upstream image tags move.
The generated Docker Compose file uses unpinned container image tags, so future deployments may pull different image versions.
image: ohif/viewer:latest ... image: nginx:alpine
Pin Docker images to reviewed versions or digests before using this in a production medical environment.
Running the generated Compose file could expose the viewer to a network or the public internet depending on the host environment.
The script generates a configuration that exposes the viewer and nginx on network ports; this is expected for a deployment tool but requires deliberate review.
ports:
- "${PORT}:3000"
...
- "80:80"
- "443:443"Confirm firewall rules, TLS setup, authentication, and intended bind addresses before running Docker Compose.
The containers may continue running and restarting after the initial setup unless the user stops or removes them.
The generated services are configured to keep restarting until explicitly stopped, which is normal for deployment but creates persistence.
restart: unless-stopped
Use explicit lifecycle management, such as docker compose down, when the viewer should no longer run.