ClawHub

Legal Brief Drafter

Security checks across malware telemetry and agentic risk

Overview

This is a local legal drafting helper with no hidden data transfer or destructive behavior, but its command-line drafting and analysis are much more limited than the documentation suggests.

Install only if you understand it is drafting assistance, not legal advice. Redact sensitive case details before use, verify all citations and legal conclusions independently, and review any generated files before sharing or filing them. Avoid running publish commands from a directory that contains private case materials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The README provides a full community publishing workflow for a skill whose primary purpose is legal-document drafting, increasing the chance that users publish local skill contents or derived materials outside their intended confidentiality boundary. In the context of legal work, this is more dangerous because surrounding files or generated artifacts may contain sensitive case strategy, personal data, or privileged material, and the workflow lacks strong scoping and safety caveats.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The draft action does not generate or structure a legal document; it simply copies user-provided text into an output file with minimal decoration. In a legal-document skill, this mismatch is dangerous because users may rely on the tool for substantive drafting, causing inaccurate filings, omission of required legal structure, or unauthorized disclosure of sensitive case material into saved files.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The analyze action returns canned metadata and a fixed high confidence score without examining the case content in any meaningful way. This is especially risky in a legal context because it can create false trust in nonexistent analysis, potentially influencing legal strategy, filings, or case assessment based on fabricated confidence.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The header and descriptive text claim extensive legal drafting, strategy, and analytical capabilities that the implementation does not provide. Such capability inflation is dangerous because it can mislead users handling high-stakes legal matters into trusting outputs as professionally reasoned work product when the code is largely superficial.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The publishing commands instruct users to push the skill to the ClawHub community without an explicit warning that local skill contents may be uploaded publicly. In a legal-document skill, this omission is particularly risky because users may associate the tool with confidential case materials and underestimate the risk of accidental disclosure of private, sensitive, or privileged information.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal