unisound-pe-missing-negative
ReviewAudited by ClawScan on May 16, 2026.
Overview
This skill appears purpose-aligned for medical-record quality control, but users should notice that it sends record-derived content to a HiVoice medical model, uses an app key, and can optionally save prepared medical text locally.
Install only if you are comfortable sending de-identified physical-exam and diagnosis text to the configured HiVoice MaaS endpoint. Protect the app key, avoid the debug save option for real patient data, and verify the shared preprocessing helper before using non-text file inputs.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
De-identified medical record excerpts may leave the local environment and be processed by the configured HiVoice MaaS endpoint.
The code embeds record-derived physical-exam and diagnosis fields into chat messages and posts them to an external OpenAI-compatible endpoint.
url = f"{base.rstrip('/')}/chat/completions" ... payload = {"model": model, "messages": messages, "temperature": 0} ... 体格检查:{pe}\n诊断:{dx}Use only de-identified records, keep the default endpoint unless an alternate endpoint is trusted, and confirm the provider's privacy and retention terms.
Anyone with the app key may be able to call the associated model service under that account or allocation.
The skill uses a user-supplied app key as a bearer token for the medical model API, which is expected for this integration but still a credential boundary.
headers = {"Authorization": f"Bearer {appkey}"}Do not hardcode the app key in files or commit it to a repository; use a restricted, revocable key and rotate it if exposed.
If the debug option is used, sensitive medical text can remain on disk after the run.
The privacy statement says inputs and intermediate results are not persisted, but the documented debug flag can save the preprocessed record text.
不做本地持久化:不将输入与中间结果写入本地持久化存储 ... --save-prepared:保存预处理后的文本,便于调试。
Avoid --save-prepared for real patient data unless the output directory is protected and the saved file is deleted when no longer needed.
Using pdf/doc/docx/xls/xlsx/csv/json input depends on external shared code that was not reviewed here.
The multi-format runner imports a shared preprocessing module outside the listed skill files, so that helper's behavior is not shown in the provided artifacts.
_preprocess_dir = SKILLS_ROOT / "_shared" / "doc-preprocess" / "scripts" ... from preprocess import PreprocessError, SUPPORTED_FILE_TYPES, detect_input_type, load_input_artifact
Use the plain text entry point when possible, or verify that the shared doc-preprocess module is trusted and from the expected repository.