← Back to Skills Marketplace
Salubrista HaH
by
felix-antonio-sl
· GitHub ↗
· v1.0.1
· MIT-0
109
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install salubrista-hah
Description
Use this skill when the user needs analysis, design, implementation, evaluation, dashboards, decision scenarios, or normative guidance for integrated hospita...
Usage Guidance
This skill appears to be a coherent HaH/hospitalization copilot that bundles a large corpus of policy and agent workflow files, which is appropriate for its stated purpose. However: 1) one of the bundled docs (references/agent/AGENTS.md) contains an explicit Authorization: Bearer <token> and example webhooks to other agent gateways — that looks like a secret and a network-calling instruction embedded in the corpus and is not declared anywhere else; 2) the instructions reference a web_fetch-style call that is not listed among allowed tools in config.json (mismatch); 3) file path mappings in TOOLS.md point to /home/node/knowledge/..., whereas SKILL.md/manifest present files under references/ — clarify whether the corpus is platform-mounted or being read from the skill bundle. Before installing or enabling this skill you should: - Ask the publisher to remove any hard-coded credentials from bundled documentation (or explain why the token is safe and necessary). - Confirm which runtime tools the agent is allowed to use (can it make HTTP POSTs/webhooks?) and whether web_fetch is actually available. - Verify the meaning and safety implications of sandbox.mode = 'permissive' on your platform. - If the skill must call other internal agents, request that those credentials be supplied via properly-scoped environment variables or an operator-controlled secret store (not embedded in docs) and that the skill declare them in requires.env. - Consider running the skill in a constrained environment or with network access disabled until the above are resolved. If you want, I can produce a short checklist of questions to send to the skill author or sample text requesting removal of embedded secrets and clarification of expected network behavior.
Capability Analysis
Type: OpenClaw Skill
Name: salubrista-hah
Version: 1.0.1
The skill bundle is a highly detailed medical expert system for Chilean hospital-at-home (HaH) management. It is classified as suspicious due to the inclusion of a hardcoded Authorization Bearer token in 'references/agent/TOOLS.md' used for inter-agent communication within a 'federation,' which constitutes a credential exposure vulnerability. Additionally, 'references/agent/config.json' specifies a 'permissive' sandbox mode. However, the bundle lacks clear malicious intent, as it explicitly denies 'code_execution' and 'workspace_write' capabilities, and the instructions are strictly focused on medical administrative logic and regulatory compliance.
Capability Assessment
Purpose & Capability
The skill name, description and the bundled reference files are coherent with an integrated-hospitalization / Hospital-at-Home (HaH) copilot: the corpus and agent files are directly relevant to the stated purpose. However, some embedded operational instructions (see AGENTS.md) include a hard-coded Authorization: Bearer token and explicit webhook examples to call other agents; those credentials and network-call examples are not explained or declared as required, which is unexpected for a documentation-only skill and not clearly justified by the stated purpose.
Instruction Scope
SKILL.md instructs the agent to read bundled reference files (expected). But some included files (references/agent/AGENTS.md and TOOLS.md) instruct using web_fetch-like hooks to post to internal agent gateways (http://{gateway_host}:{port}/hooks/agent) including a literal Bearer token. The config.json does not expose web_fetch as an allowed tool and does not declare that token as a required credential. The skill thus contains instructions that would cause network calls and credential use that are not declared in the SKILL.md output contract, creating an instruction-scope mismatch and potential exfiltration or unauthorized internal API usage.
Install Mechanism
No install spec and no code files—this is instruction-only. That reduces the risk of arbitrary code being written/executed on the host. There is nothing being downloaded or extracted by the skill itself.
Credentials
The skill declares no required environment variables or credentials, yet AGENTS.md contains a hard-coded Authorization: Bearer token and shows POST examples to internal gateways. Embedding an auth token in documentation without declaring it or explaining its purpose is disproportionate and risky: it suggests a secret could be used by the agent even though the skill did not request or justify such access. There are also references to filesystem paths (/home/node/knowledge/..., /home/node/shared/) that differ from the skill-local references/ paths, which creates ambiguity about what external resources the skill expects to read.
Persistence & Privilege
always:false and user-invocable:true (normal). config.json runtime_capabilities explicitly denies code_execution, workspace_write and agent_deploy (good). However config.json includes sandbox.mode = 'permissive' which may broaden allowed runtime behaviors on some platforms; this is not justified in SKILL.md and is worth verifying with the operator. The skill does reference a federation and shared directories, meaning it expects cross-agent interaction, but it does not declare the required network permissions or credentials.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install salubrista-hah - After installation, invoke the skill by name or use
/salubrista-hah - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
- Bundled the complete original agent and knowledge files into the skill under `references/`, rather than requiring external directories.
- Updated internal paths and instructions to use the packaged originals directly in `references/agent/` and `references/knowledge/hodom/`.
- No changes to workflow, clinical scope, or output contract; all original logic and files included without distillation or summarizing.
- Now supports fully portable operation by including all referenced domain and agent material within the skill package.
v1.0.0
Initial release of the salubrista-hah skill for integrated hospitalization system analytics and guidance.
- Supports analysis, design, evaluation, and dashboards with focus on hospital-at-home and hospital-to-home continuity, especially in the Chilean context.
- Includes clear workflow: classifies user requests, routes to relevant knowledge/regulation/products, and enforces coverage boundaries.
- Complies with Chilean HD regulation and addresses Director Tecnico requirements, compliance, and operational standards.
- Explicitly communicates scale, modality, methodology, assumptions, and risk with every output.
- Includes guardrails to prevent unsupported clinical decisions, unwarranted assumptions, or fabricated details.
Metadata
Frequently Asked Questions
What is Salubrista HaH?
Use this skill when the user needs analysis, design, implementation, evaluation, dashboards, decision scenarios, or normative guidance for integrated hospita... It is an AI Agent Skill for Claude Code / OpenClaw, with 109 downloads so far.
How do I install Salubrista HaH?
Run "/install salubrista-hah" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Salubrista HaH free?
Yes, Salubrista HaH is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Salubrista HaH support?
Salubrista HaH is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Salubrista HaH?
It is built and maintained by felix-antonio-sl (@felix-antonio-sl); the current version is v1.0.1.
More Skills