unisound-chief-complaint-disease-op
Security checks across malware telemetry and agentic risk
Overview
The skill’s code matches its stated medical-record quality-check purpose, but users should only send de-identified records, protect the app key, and verify the shared preprocessing/provenance details.
This skill appears purpose-aligned and not suspicious. Before installing or running it, verify the publisher/provenance, use the default or another trusted model endpoint, pass the app key carefully, de-identify medical records, and avoid the --save-prepared debug option unless local storage is acceptable.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If records are not de-identified, patient information could be transmitted to the model provider.
The code sends LLM chat messages, including parsed medical-record content, to the configured HiVoice-compatible chat/completions endpoint. This is disclosed and purpose-aligned, but the content can be sensitive.
DEFAULT_LLM_BASE = "https://maas-api.hivoice.cn/v1" ... payload = {"model": model, "messages": messages, "temperature": 0}Use only de-identified records, confirm the provider endpoint is trusted, and ensure any required data-processing agreement or internal approval is in place.
A leaked or misdirected app key could allow unauthorized model API use or billing under the user’s account.
The skill requires a user-provided app key and sends it as a bearer token to the configured model API. This is expected for the integration and there is no evidence of hardcoding or logging the key.
def make_llm_caller(appkey: str, base: str = DEFAULT_LLM_BASE, model: str = DEFAULT_LLM_MODEL, timeout: int = 0): ... headers = {"Authorization": f"Bearer {appkey}"}Provide the key only when needed, keep it out of shared files and command histories where possible, and avoid overriding --base to an untrusted URL.
Running the multi-format path depends on whatever local _shared/doc-preprocess code is installed.
The multi-format entry point imports a shared preprocessing module outside this skill’s provided file manifest. The dependency is documented and purpose-aligned, but its behavior is not reviewable from the supplied artifacts.
_preprocess_dir = SKILLS_ROOT / "_shared" / "doc-preprocess" / "scripts" ... from preprocess import
Verify the shared preprocessor is trusted and up to date, or use scripts/emr_qc.py with plain text input if the shared helper is not available or not reviewed.
Users have less certainty that the package metadata consistently identifies the publisher and package lineage.
The embedded _meta.json owner and slug differ from the supplied registry metadata owner and slug, which is a provenance/packaging inconsistency rather than evidence of malicious behavior.
"ownerId": "kn76wejkeqxfc03j0rfxp2jaj982m7aa", "slug": "doctor.emr-qc.chief-complaint-disease-op"
Verify the publisher and package provenance before using the skill with medical data or provider credentials.
Using the debugging option may leave a local copy of sensitive record text.
The privacy statement says inputs and intermediate results are not persisted, while the documented --save-prepared option can save preprocessed text. Because this option is disclosed and user-directed, it is a notice rather than a concern.
**不做本地持久化** ... `--save-prepared`:保存预处理后的文本,便于调试
Avoid --save-prepared for real patient records unless the output directory is protected and the file retention policy is clear.