unisound-followup-mgmt
ReviewAudited by ClawScan on May 16, 2026.
Overview
The skill is purpose-aligned, but it sends sensitive health reports to an external LLM while overstating or under-declaring privacy and credential handling.
Review before installing or using: only run this skill if you trust the configured LLM provider, manually remove direct identifiers from reports, protect the app key, and verify the publisher/package identity. Treat generated follow-up plans as health-management guidance that should be reviewed by qualified medical staff.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A health report, potentially including personal identifiers or medical findings, may leave the local environment and be processed by the external/internal LLM provider.
The script places the full input report text directly into the LLM request, so any identifiers or sensitive medical details in the file are sent to the configured model endpoint.
prompt = f"""请根据以下体检报告,制定检后随访管理计划。\n\n【体检报告】\n{report_text.strip()}Use only with a trusted provider and remove names, IDs, phone numbers, addresses, and other identifiers before running; the skill should implement or clearly require redaction before API submission.
Users may provide identifiable health data believing the skill automatically anonymizes it.
The documentation assures strict de-identification before sending, but the provided code forwards the raw report text; this can lead users to over-trust the privacy protection.
- **严格脱敏**:发送前对可识别身份信息进行脱敏处理。
Clarify that de-identification is the user's responsibility or add verified automatic redaction before any network call.
The app key may grant access to the medical model API and should be treated as a secret.
The skill requires a provider authentication key, which is expected for the stated API use, but registry metadata declares no primary credential.
`--appkey STRING`:**必填**。调用内部医疗大模型的鉴权 key,由平台分配。
Use a scoped/rotatable key, avoid sharing command history or logs containing the key, and update metadata to declare the credential requirement.
Users may have less certainty that the package identity matches the registry listing.
The packaged metadata owner/slug differ from the registry name and owner shown for this evaluation, creating a provenance consistency note.
"ownerId": "kn76wejkeqxfc03j0rfxp2jaj982m7aa", "slug": "health-exam.post-exam-mgmt.followup-mgmt"
Verify the publisher and package identity before sending medical data or credentials through the skill.