ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

PathClaw

v1.0.3

通过华银康集团 PathClaw 服务对病理切片进行泛癌 AI 辅助诊断,适用于病理科医生或研究人员在收到切片图像后的初步筛查场景。当用户提供 .svs 格式的病理切片文件时,自动完成:认证登录、提交诊断任务、轮询推理结果、返回诊断结论及热力图链接。触发条件:用户请求分析病理切片、进行泛癌预测、肿瘤筛查、或提到...

1· 119·0 current·0 all-time
by@t-programmer
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes logging in, uploading a .svs file, polling results, and returning a diagnosis — exactly what the name/description claim. However, the login step is underspecified: the POST /api/user/login is shown with no credentials or request body and the skill declares no required environment credentials. It's unclear whether the service issues anonymous tokens or expects credentials supplied elsewhere. Additionally, the file upload necessarily sends potentially sensitive medical images to an external domain (pathclaw.pathologyunion.com), which is consistent with the stated purpose but raises important privacy/regulatory considerations.
!
Instruction Scope
Instructions explicitly require reading a local .svs file and uploading it to an external service — expected for this task but high-risk for patient data. The SKILL.md includes detailed behavior (file existence/read checks, size, suffix, token handling, timeouts, retries, and output templates), which stay within the domain of slide analysis. Concerns: (1) no guidance about patient/PHI handling, consent, or de-identification before upload; (2) a commented-out alternate HTTP URL with a raw IP (http://119.91.47.20:8111) appears in the file, which is unexpected and could indicate an alternate or fallback endpoint that is not documented in the skill metadata.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. Runtime instructions use curl examples; nothing is written to disk by an installer.
Credentials
The skill requests no environment variables or credentials in metadata, yet it performs an authentication step and expects a token in responses. The absence of declared credentials or a primaryEnv is unusual but may be valid if the service supports anonymous token issuance. Still, lack of clarity about who supplies credentials (user vs. service) is a proportionality mismatch that should be resolved before trusting the skill.
Persistence & Privilege
always is false and the skill does not request system-level persistence or modify other skills/config. It does require transient access to a user-provided local file for upload; autonomous invocation is allowed by default (not a special privilege) — combine that with the upload behavior and the agent could autonomously upload files if triggered, so be cautious about triggers and permissions.
What to consider before installing
This skill appears to be what it says (upload a .svs slide to PathClaw and return results), but there are several important things to check before installing or using it: - Authentication clarity: Ask the publisher how login is supposed to work. The SKILL.md posts to /api/user/login with no credentials and the skill metadata declares no credentials — confirm whether the service issues anonymous tokens or whether you must supply API credentials elsewhere. - Data privacy & compliance: Using this skill will upload whole-slide images (which may be protected health information) to an external server. Ensure you have legal and institutional approval (e.g., HIPAA, GDPR), patient consent, and that the destination service has appropriate protections and a privacy/data processing agreement. - Verify endpoints: The documentation includes a commented IP address (119.91.47.20:8111) in addition to pathclaw.pathologyunion.com. Confirm the correct, official endpoint and that communications use HTTPS and valid certificates. Avoid using raw IP endpoints unless you can verify them. - Test safely: Before sending real patient data, test with non-sensitive dummy slides and confirm behavior, timeouts, and token handling. Confirm the skill does not log full tokens and that logs are properly redacted as suggested. - Request provenance: There is no homepage, source, or publisher info. If possible, get the publisher's identity, an official service SLA or docs, and source code or more detailed integration docs to increase trust. If these questions cannot be satisfactorily answered, do not use the skill with real patient data.

Like a lobster shell, security has layers — review code before you run it.

latestvk979mrtk1tn7ednnpxv405ee5d84crxq
119downloads
1stars
4versions
Updated 2w ago
v1.0.3
MIT-0
@t-programmer
latest
Download

概述

本技能封装了华银康集团 PathClaw 泛癌预测服务的完整调用流程。接收 .svs 病理切片文件后,自动完成用户认证、任务提交、结果轮询,并返回 AI 辅助诊断结论与热力图链接。

工作流程

前置要求

用户必须提供病理切片文件路径(.svs 格式)。若用户未提供,须询问:

请提供病理切片文件路径,例如:C:\path\to\slide.svs

第一步:获取认证 Token

curl -X POST https://pathclaw.pathologyunion.com/api/user/login
<!--http://119.91.47.20:8111/api/user/login -->

从响应中提取 data.token。此 token 必须包含在后续请求的 Authorization: Bearer <token> 请求头中。

第二步:启动诊断任务

重要:上传文件必须为 .svs 格式。若校验失败,须终止操作并提示用户: 该文件不是有效的病理切片格式(应为 .svs 格式)

文件校验规则(执行上传前必须全部通过)

  1. 文件路径必须存在,且为普通文件(非目录)。
  2. 文件必须可读(当前进程有读取权限)。
  3. 文件大小必须大于 0 字节。
  4. 后缀名必须是 .svs(大小写不敏感,如 .SVS 也允许)。
  5. 任一校验失败都必须立即终止,不得继续调用诊断接口。

验证失败示例:C:\Users\HYK\Desktop\SKILL.md → 提示 该文件不是有效的病理切片格式(应为 .svs 格式)

curl -X POST https://pathclaw.pathologyunion.com/api/v1/diagnosis/run \
  -H "Authorization: Bearer <token>" \
  -F "slide_file=@/path/to/slide_file"

响应中包含 data.slide_id,保存此 ID 用于下一步。

第三步:获取诊断结果

启动诊断后等待 10 秒,然后请求:

curl -X GET https://pathclaw.pathologyunion.com/api/v1/diagnosis/<slide_id>/result \
  -H "Authorization: Bearer <token>"

ai_diagnosis_status 状态码

状态码含义
0未知
1排队中
2队列中
3分析中
4分析成功
5分析失败

安全与异常处理要求

  1. Token 安全

    • 日志中禁止输出完整 token。
    • 如需调试,仅允许脱敏输出(例如前 6 位 + ***)。

  2. 网络与超时

    • 每次 HTTP 请求必须设置超时(建议连接超时 10 秒、读取超时 60 秒)。
    • 超时或网络错误时最多重试 2 次(指数退避:1s、2s)。
    • 超过重试上限后返回明确失败信息并停止流程。

  3. HTTP 状态码处理

    • 2xx:按正常流程解析。
    • 401/403:提示认证失败或 token 失效,终止流程。
    • 4xx:提示请求参数错误(包含文件或接口参数问题),终止流程。
    • 5xx:提示服务端异常,可按重试策略重试,失败后终止。

  4. 结果状态处理

    • 当状态为 1/2/3:继续轮询。
    • 当状态为 4:输出最终诊断结果。
    • 当状态为 5:输出“分析失败”及返回错误信息,终止流程。
    • 当状态为 0 或未知值:按异常状态处理并终止流程。

API 概要

步骤方法端点认证请求体
1. 登录POST/api/user/login
2. 启动诊断POST/api/v1/diagnosis/runBearer tokenslide_file (multipart)
3. 获取结果GET/api/v1/diagnosis/{slide_id}/resultBearer token

输出规范

执行过程中须按以下规范输出:

  1. 初始化阶段:输出 正在确认用户信息及状态...
  2. 上传与调用阶段:输出 已完成用户信息确认。\n调用 **华银康集团 PathClaw 服务** 进行泛癌预测。
  3. 推理等待阶段:首次轮询输出 切片已完成上传,正在推理中...
    • 若进入第二次及后续轮询,输出 结果仍在推理中,请您耐心等待...
  4. 最终诊断结果分析:纯文本 + 无序列表输出,模板如下:
  • 当前切片已完成推理。该切片 {{file_name}} 经过 华银康集团 PathClaw 服务 辅助诊断,提示"{{diagnosis_result}}",建议进一步做病理复查或免疫组化检测以明确诊断。
  • 热力图请点击查看以下链接:{{short_link}}
  • 本次AI辅助诊断结果仅供参考,不构成最终诊断建议。最终诊断应由专业医师结合临床情况及其他检查结果进行判断。

Comments

Loading comments...