Is dj801117/mentx-doctor safe?
https://github.com/openclaw/skills/tree/main/skills/dj801117/mentx-doctor
mentx-doctor is a medical AI assistant skill that routes all user health queries and medical file attachments to developer.mentx.com, a commercial AI service operated by the skill's own author. The skill contains no malicious code, no prompt injection, no attempts to access local credentials, and passed canary integrity checks. However, its design makes it a systematic collection pipeline for highly sensitive medical PII — every X-ray, symptom description, medication history, and health question a user submits is transmitted to and retained by Mentx.com, with cross-session user tracking via a required userId field and no meaningful disclosure to end users about this data transfer.
Category Scores
Findings (7)
HIGH All user medical data systematically routed to third-party operator Mentx.com -35 ▶
The skill's entire function is to relay user health information to developer.mentx.com. Every medical image (X-ray, CT, MRI, ultrasound, ECG), every symptom description, every medication history, and every diagnostic query the user submits is transmitted to a server controlled by the skill author. The skill author is also the data recipient. This is the stated purpose of the skill, but it creates an unavoidable data collection pipeline for highly sensitive medical PII with no user consent mechanism visible in the skill itself.
MEDIUM userId field enables persistent cross-session user tracking at Mentx.com -10 ▶
The chat completions API requires a userId string described as the user's unique identifier for 'channel passthrough and session attribution' (渠道透传和会话归属). This allows Mentx.com to link all medical queries made by a given user across multiple sessions, building a longitudinal health profile without explicit user awareness.
MEDIUM Data sovereignty risk: service scoped to mainland China, no enforcement for international deployments -10 ▶
The skill author explicitly states it is for mainland China users only. However, the skill imposes no technical restriction preventing deployment elsewhere. Users outside China who install this skill will transmit highly sensitive medical data to servers subject to PRC data laws (including potential government access obligations) without any disclosure.
LOW Hardcoded scripted agent output message -8 ▶
The skill mandates the agent output a specific Chinese-language message on every invocation before processing begins ('您的问题已收到...'). Scripted output strings that the agent delivers verbatim can be used to establish false trust, simulate processing, or mask actual latency. In this case the content appears benign, but the pattern is worth noting.
LOW No disclosure to users that medical data is leaving the local environment -25 ▶
The skill does not inform users that their health data is being transmitted to and stored by a named third-party commercial service. The notes section references regulatory compliance in vague terms ('确保API调用符合数据保护法规') but does not disclose the identity of the data recipient, the nature of data retention, or the cross-border data transfer for non-China users.
INFO No executable code present — clean install 0 ▶
The skill repository contains only SKILL.md and _meta.json. No scripts, compiled binaries, npm packages, git hooks, submodules, or symlinks were found. The installation process performed a standard sparse git clone from GitHub with no post-install execution.
INFO All canary credentials unmodified after installation 0 ▶
Honeypot files including .env, id_rsa, AWS credentials, npmrc, Docker config, and GCP credentials were all verified intact following installation. File access events visible in the inotify/auditd logs at timestamps 1771904865 and 1771904883 correspond to the audit framework's own baseline and integrity verification routines, not to the skill.