📦 Clinical Doc Assistant — 临床文档助手
v1.0.4为医生、诊所管理者或医疗开发者提供一键起草、结构化与检索临床文档(含SOAP、转诊单、出院小结等)的智能助手,支持自然语言生成、模板填充与合规校验,显著提升医疗文书效率与质量。
0· 151·1 当前·1 累计
by 下载技能包
最后更新
2026/3/30
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
What to consider before installing or using this skill:
- Metadata mismatch: The registry metadata for this package said "no required env vars" while SKILL.md requires FHIR OAuth credentials (client id/secret/token URL). Treat that as a red flag — confirm the manifest before supplying secrets.
- PHI risk: If you use the hosted backend or supply CLINICAL_DOC_API_URL to a third party, the skill will transmit the full patient_context to that backend and then to Anthropic's API. Do NOT send real P...详细分析 ▾
ℹ 用途与能力
The SKILL.md and backend.py both implement a FHIR R4 document-generation assistant and require SMART-on-FHIR credentials (client id/secret, token URL) and/or a FHIR sandbox mode. This is coherent for the stated purpose. However, the top-level registry metadata reported to the scanner shows "Required env vars: none" while SKILL.md explicitly lists multiple requiredEnv variables (FHIR_CLIENT_ID, FHIR_CLIENT_SECRET, FHIR_TOKEN_URL, FHIR_BASE_URL). That metadata mismatch is an inconsistency that should be resolved before trusting the skill's manifest.
⚠ 指令范围
SKILL.md instructs the agent to fetch patient FHIR resources into the agent session and not to write PHI to disk — that is consistent with a drafting tool. But the package also includes backend.py which, when used, expects the agent to POST the structured patient_context to a hosted backend which then forwards the patient_context (embedded in an LLM prompt) to Anthropic's API. SKILL.md does warn about not sending PHI to third parties without a BAA, but the runtime instructions permit transmitting patient data to remote LLMs; this is a privacy/exfiltration risk if the hosted backend or Anthropic are used without appropriate legal/technical protections.
✓ 安装机制
There is no install spec — the skill is instruction-first and includes optional source for a self-hostable backend. No downloads or obscure install URLs are present. This is low install-mechanism risk.
⚠ 凭证需求
The environment variables required by SKILL.md (FHIR client id/secret/token URL, and optional ANTHROPIC_API_KEY or CLINICAL_DOC_API_* for the hosted backend) are proportionate to connecting to an EHR and an LLM backend, but they are highly sensitive. The skill requests OAuth client secrets (which grant access to patient data) and may require an Anthropic API key for LLM calls. Those credentials are appropriate only if you intend to connect to an EHR or to self-host the backend; they are excessive and dangerous if provided to an unknown third‑party hosted backend. The manifest/registry metadata omission of these env vars increases risk because an installer might not realize what secrets are needed or transmitted.
✓ 持久化与权限
The skill does not request 'always: true' nor modify other skills or system-wide settings. No persistent or elevated platform privileges are requested by the package itself.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.42026/3/29
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install clinical-doc-assistant
镜像加速npx clawhub@latest install clinical-doc-assistant --registry https://cn.longxiaskill.com