Screens a Medicare/Medicaid claims corpus against the public rulebook (NCCI MUE, OIG LEIE,
CMS enrollment, PFS) and produces ranked, fully-cited investigation referrals for an SIU.
The skill orchestrates a three-tier investigation: a deterministic floor does the detection,
the model judges and narrates on top, and every dollar/rule allegation traces back to the floor.
-
Get the payer's claims into corpus.duckdb. Open with: "Where do your adjudicated claims
live?" and follow ${CLAUDE_PLUGIN_ROOT}/skills/fraud-detection/LOAD-CLAIMS.md — it walks you
and the user from "I don't know" to a populated $CLAUDE_HEALTHCARE_DATA/fraud-detection/data-cache/corpus.duckdb. If they
already have a .duckdb with the canonical tables (schema:
${CLAUDE_PLUGIN_ROOT}/skills/fraud-detection/claims-schema.sql), use it directly.
Draft the brief (corpusDb path, quarter, line of business) and confirm scope.
-
Seed the public reference layer (first run / new quarter only). Detectors cite against
$CLAUDE_HEALTHCARE_DATA/fraud-detection/data-cache/reference/<quarter>/reference.duckdb. If that file is missing for the
requested quarter, fetch it now — this prints per-source ✓ name (size) progress as ~34 sources land:
node "${CLAUDE_PLUGIN_ROOT}/skills/fraud-detection/scripts/fetch-reference.js" 2026q3
node "${CLAUDE_PLUGIN_ROOT}/skills/fraud-detection/scripts/fetch-enrichment.js"
Requires unzip and pdftotext (poppler) on PATH; both ship with most distros / brew install poppler. Needs real network egress — if you see "Could not resolve host" for cms.gov / oig.hhs.gov,
the command sandbox is blocking it; re-run with sandbox disabled. Policy PDFs (NCCI manual, MLN articles) land under reference/<q>/policy/*.txt
for grep; everything keyed lands in reference.duckdb. Skip if already present. If a fetch fails
or a table is missing, see REFERENCE-DATA.md for source URLs and recovery.
-
Create the run directory. Each invocation lands in its own minute-stamped directory so prior
runs are preserved side-by-side. Every script honors FRAUD_OUT_DIR:
export FRAUD_OUT_DIR="$CLAUDE_HEALTHCARE_DATA/fraud-detection/out/run-$(date +%Y%m%d-%H%M)"
mkdir -p "$FRAUD_OUT_DIR"
echo "$FRAUD_OUT_DIR"
Use the printed absolute path verbatim as outDir in the next step.
-
Run the investigation by calling the Workflow tool with:
scriptPath: ${CLAUDE_PLUGIN_ROOT}/skills/fraud-detection/workflows/investigate.js
args: { "corpusDb": "<abs path to corpus.duckdb>", "quarter": "2026q3", "lob": "medicaid", "pluginRoot": "${CLAUDE_PLUGIN_ROOT}/skills/fraud-detection", "dataRoot": "<abs $CLAUDE_HEALTHCARE_DATA/fraud-detection>", "outDir": "<abs FRAUD_OUT_DIR from step 3>" }
The workflow runs three stages (see "How it works"):
- Detect — runs the deterministic sweep (
scripts/screen.js, zero model) → $FRAUD_OUT_DIR/referrals.detect.json.
- Adjudicate — one agent per judgment-required finding (D2/D4/D7/D13) sets
status + adjudication.reason; mechanical detectors auto-confirm. Adjudicate may dismiss or downgrade, never add.
- Synthesize — one agent per provider writes the investigator narrative, plus novel-lead discovery with adversarial verification.
Tell the user they can watch the fan-out live with /workflows.
-
Materialize the stage snapshots + render (required — this is the reviewable deliverable). The
workflow sandbox has no filesystem, so write its return to disk and let apply-stages.js produce
the auditable spine. FRAUD_OUT_DIR does not persist across separate Bash calls — re-export
it (to the same absolute path you printed in step 3) at the top of every shell block that needs it:
Use the Write tool to save the workflow's return JSON verbatim to
$FRAUD_OUT_DIR/workflow-result.json (it can be 50KB+ — don't heredoc it through Bash). Then:
export FRAUD_OUT_DIR="<abs path from step 3>"
node "${CLAUDE_PLUGIN_ROOT}/skills/fraud-detection/scripts/apply-stages.js"
This writes $FRAUD_OUT_DIR/referrals.adjudicated.json, referrals.final.json, referrals.json
(canonical, = final), and the renderer sidecars (source-excerpts.json, providers.json).
Then render the packets FIRST, then the dashboard (the dashboard only links a provider row to its
packet if that packet file already exists), then the xlsx:
export FRAUD_OUT_DIR="<abs path from step 3>"
node "${CLAUDE_PLUGIN_ROOT}/skills/fraud-detection/scripts/render-packet.js" --all
node "${CLAUDE_PLUGIN_ROOT}/skills/fraud-detection/scripts/render-dashboard.js"
node "${CLAUDE_PLUGIN_ROOT}/skills/fraud-detection/scripts/render-xlsx.js"
→ $FRAUD_OUT_DIR/provider-packet-<npi>.html ×N, index.html, referrals.xlsx.
-
Show the dashboard so the user can validate it visually.
Skip this entirely in a headless/non-interactive run (eval, CI, Cowork) — just report the path.
Don't fail the run if opening/serving fails.
-
Relay: the ranked referrals (NPI, schemes, exposure $, confidence) and total exposure from
the workflow result, verbatim where it cites numbers. Surface meta.disclaimer if it is set. Do
not add any dollar or rule the deterministic floor did not produce. End the response with the
run-directory path on its own line so downstream graders/tools can locate the artifacts:
Run directory: <absolute $FRAUD_OUT_DIR>
-
Close the loop (optional) — see ${CLAUDE_PLUGIN_ROOT}/skills/fraud-detection/PROPOSE-DETECTORS.md
to mine this run for new detector candidates and payer-specific adjudicate-time checks.
Every allegation cites a public rule with a value the gate independently recomputes, or it is dropped.