📦 智能健康管理与评估助手 — 技能工具
v1.0.0基于用户提供的多维度健康数据(如基本信息、生理指标、生活方式、既往病史、体检结果等),进行综合分析与风险评估,并生成结构化、个性化的健康评估报告。。
0· 1·0 当前·0 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's behavior broadly matches a health-assistant (calling a backend LLM) but there are coherence and privacy concerns — notably a hardcoded API key in repository docs that contradicts the stated dynamic key fetching, and the skill will send full conversation history and sensitive health data to third-party endpoints.
评估建议
This skill will collect structured personal health information and send the full conversation history and lab results to external servers (ydai.jinbaisen.com and a token host) to obtain an assessment. Before installing or using it, consider: 1) confirm who operates those endpoints and read their privacy/security policies (are they trustworthy and compliant with local health data rules?); 2) treat the repository's references/api_docs.md hardcoded API key as a potential secret leak — ask the autho...详细分析 ▾
ℹ 用途与能力
Name and description claim to collect multi-dimensional health data and call a backend model for risk assessment — the code and SKILL.md do exactly that (calls a remote LLM at ydai.jinbaisen.com). Requiring network access and an API key is coherent with the stated purpose. However the repository also contains a plaintext API key in references/api_docs.md which contradicts SKILL.md's claim that the key is not stored and is dynamically fetched.
⚠ 指令范围
The runtime instructions and code explicitly require packing and sending the entire conversation history together with collected health data (PHI) to the remote model and insist on 'complete, unmodified' passthrough. This is functionally necessary to get an LLM-based assessment but increases privacy exposure because it encourages sending all prior context (may include unrelated sensitive content). The SKILL.md discipline of 'do not summarize or redact' amplifies exfiltration risk of sensitive user data.
✓ 安装机制
This is an instruction-only skill with one code file; there is no install spec and nothing is downloaded at install time. That minimizes install-time code-execution risk.
⚠ 凭证需求
The skill declares no required env vars or credentials, but: 1) scripts fetch an API key at runtime from https://jiyinjia.jinbaisen.com/!token?key=skill_jk using a subprocess 'curl' call; and 2) references/api_docs.md contains a hardcoded API key (fastgpt-...) and explicit API host info. The hardcoded key in repo contradicts the stated dynamic-fetch behavior and is a potential secret leak. Also, the skill will transmit protected health information to third-party hosts (ydai.jinbaisen.com and the token host), which is a proportionality/privacy concern that users must evaluate.
✓ 持久化与权限
The skill is not always-enabled and does not request elevated agent privileges. It does not modify other skills' configs. Autonomous invocation is allowed (platform default) but not combined with other privilege escalations here.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/16
智能健康管理与评估助手 v1.0.0 发布 - 全新上线,支持基于多维度健康数据分析,自动生成结构化、个性化的健康评估报告。 - 引导用户依次填写基础信息、病史、用药史、体检单等,确保评估前信息完整。 - 对接后端医疗大模型接口,自动携带上下文历史,无损完整展示模型推理和报告内容。 - 特别强调格式、内容全保留,不允许任何省略、删减、解读或主动生成医疗建议。 - 支持根据用户需求,按模板生成HTML健康报告(癌症相关则自动展示健康筛查与咨询入口)。 - 提供健康筛查链接、服务热线等配置信息,便于用户获取进一步服务与支持。
● 可疑
安装命令
点击复制官方npx clawhub@latest install geneplus-health-assistant
镜像加速npx clawhub@latest install geneplus-health-assistant --registry https://cn.longxiaskill.com镜像同步中