Skillv1.0.1

ClawScan security

med-critical-disease-review · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 24, 2026, 3:28 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill generally does what it says (calls an assessment API for major-disease claims) but contains important inconsistencies around endpoints, privacy claims, and local persistence that you should verify before installing.
Guidance: Key things to check before installing or running this skill: - Endpoint sanity: Confirm which endpoint will actually receive medical data — the SKILL.md mentions an internal IP (10.10.20.15:9010) but the code posts to https://shangbao.yunzhisheng.cn/.... Ask the maintainer which endpoint is intended and whether it is within your trusted network. - Privacy promises vs. code behavior: The README claims PII will be stripped and nothing is persisted, but the visible code does not show any de-identification and it writes API responses and text summaries to ../runs by default. If you need to send PHI, require a proof of the redaction implementation or add a validation step yourself. Consider running with synthetic data first. - Network/data exposure: This skill will transmit structured medical records to a remote service. If your organization restricts outbound network traffic for sensitive health data, run the skill in an isolated environment or block outbound access until you can verify the endpoint and its retention/processing policies. - Local persistence: If you want to avoid files being written, run with explicit output paths (or inspect/run the code and remove/write-protection for save points). Search the full run.py for any other write operations (the provided run.py was truncated in the package listing). - Testing and audit: Review the full run.py (the package listing is truncated) to confirm there are no hidden calls or additional endpoints. Test using non-sensitive sample records that simulate structure but contain no real patient identifiers. Given these inconsistencies (endpoints, privacy claims vs code writes), treat the skill as suspicious until the author clarifies the redaction logic, the actual network destination, and data retention behavior.

Review Dimensions

Purpose & Capability: noteThe skill's stated purpose — calling an assessment service for 28 major-disease types — matches the code which builds a medicalRecord payload and posts it to an external assessment API (major_disease_assess.call_major_disease_assess). However SKILL.md also references an internal IP (http://10.10.20.15:9010) while the code's BASE_URL is https://shangbao.yunzhisheng.cn/..., which is an inconsistency you should confirm (different endpoints imply different network exposure).
Instruction Scope: concernThe documentation claims strict desensitization and 'no local persistence', but the visible code does not implement any de-identification/PII redaction logic (validate_payload only checks structure) and the code writes the API response and natural-language output to disk by default (../runs/med-major-disease-assess/{disease}_resp.*). That contradicts the SKILL.md privacy promises and widens data exposure (sensitive medical data will be transmitted to a remote endpoint and may be saved locally unless you pass custom options).
Install Mechanism: okThis is an instruction+script skill with no install spec — no packages are force-installed. It optionally uses standard third-party Python packages (openpyxl, pypdf) and external binaries (libreoffice/soffice, pdftotext, tesseract) for input parsing. Those are expected for document processing and are documented as optional.
Credentials: noteThe skill does not request environment variables or credentials (no secrets required), which is proportionate. However it will perform outbound HTTP(s) requests to shangbao.yunzhisheng.cn (and SKILL.md mentions an internal IP alternative). Because the payload contains medical records, network transmission to an external service is a privacy risk and should be validated against your data policies.
Persistence & Privilege: concernThe skill is not marked always:true (no forced global enable), but despite SKILL.md claiming 'no local persistence', the code saves raw JSON and text outputs to disk by default and can create ../runs directories. That persistence behavior contradicts the documented guarantee and increases the attack surface for sensitive data on disk.