Skillv1.0.1

ClawScan security

med-chronic-disease-review · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 24, 2026, 3:27 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill appears to implement OCR-based chronic-disease review as claimed, but its code contradicts key safety claims (de-identification and no local persistence) and will send OCR data to an external service by default — review before using with real patient data.
Guidance: Do not use this skill with real patient data until you confirm how it handles PHI. The README claims strict de-identification and no local storage, but the code: (1) sends the provided 'ocr_data' directly to an external endpoint by default (no auth required), and (2) saves raw response JSON and a text summary to ../runs/med-chronic-disease-review unless you override outputs. Recommended actions before installing or running on sensitive data: 1) Inspect or modify the code to implement and verify proper de-identification/redaction of PHI (names, IDs, phone numbers, addresses, images) before any network transmission. 2) Verify the remote service (shangbao.yunzhisheng.cn): who operates it, what they do with submitted data, and whether an authenticated, audited endpoint is available. 3) If you require no local persistence, change or remove the default output paths and avoid --save-prepared; run in a controlled sandbox. 4) Consider routing the skill to an internal/approved endpoint or requiring an API key and TLS pinning. 5) Test with synthetic data first to confirm behavior. If you cannot verify the endpoint and implement safe redaction, treat the skill as too risky for real PHI.

Review Dimensions

Purpose & Capability: okName/description (门诊慢病审核 for diabetes/hypertension) align with the included code: the package normalizes OCR inputs and posts them to a remote /api/v1/review/flow/by-ocr endpoint for rule-based review. Support for many input formats (pdf/docx/xlsx/csv/images/json) is consistent with a realistic preprocessing need.
Instruction Scope: concernSKILL.md states '严格脱敏' and '不做本地持久化', but the actual code does not perform any automatic de-identification/redaction of OCR text before sending. The code constructs req_body with 'ocr_data' and POSTs it as-is to the remote API. Additionally, the CLI writes raw response JSON and a natural-language summary to ../runs/med-chronic-disease-review by default, contradicting the 'no local persistence' claim.
Install Mechanism: okNo install spec / downloads are present (instruction-only with included scripts). The code may call optional local binaries (soffice, pdftotext, tesseract) for preprocessing when certain input types are used; this is expected and not unusual. No external archive downloads or opaque installers are present.
Credentials: noteThe skill requests no environment variables or credentials. However, it sends potentially sensitive OCR content to a default external base URL (https://shangbao.yunzhisheng.cn/skills/chronic-disease) without requiring authentication, which may be surprising and increases exfiltration risk if you expect an authenticated service or local processing.
Persistence & Privilege: concernAlthough the SKILL.md promises ephemeral in-memory handling, the scripts explicitly write outputs to disk (raw JSON and text summary) by default and can save prepared OCR arrays when invoked with flags. The code also uses temporary files/directories during office conversions. This is not privileged behavior per se, but it contradicts the declared 'no local persistence' guarantee.