ClawHub

Legal Matter Intake Summarizer

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do more than legal intake summarization by running local audit/scanning code over arbitrary files and writing reports, so users should review its scope before installing.

Install only if you intentionally want a local filesystem audit/reporting tool as well as a legal summarizer. Run it on a narrow, copied test folder first, avoid pointing it at full case repositories or home directories, and review any generated report for privileged or secret material before sharing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares no permissions, yet its documented behavior includes reading local resources, invoking python3, and writing an output file. This creates a trust and enforcement gap: reviewers or policy engines may treat it as passive text-only logic while it can actually access files and execute shell-mediated processing.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The skill states that for external actions it should stay within review/dry-run boundaries, but then instructs execution of a shell command when available. That contradiction can normalize real command execution in contexts where users and operators expect analysis-only behavior, increasing the chance of unintended processing of local files or unsafe chaining into broader workflows.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The security boundary claims the skill is 'read-only', but the documented command writes to an output file. False or overstated safety claims are dangerous because users, orchestrators, or automated policy systems may grant broader trust than warranted, leading to unauthorized file creation or modification in sensitive working directories.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The script supports multiple broad operating modes such as directory audit, CSV audit, pattern scanning, and skill auditing, which materially exceed the declared purpose of a legal matter intake summarizer. This mismatch increases the attack surface and enables users or downstream agents to inspect arbitrary local files and repositories, potentially exposing sensitive data unrelated to legal intake workflows.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The built-in pattern scanning logic reads arbitrary files and searches for secrets, private URLs, and shell-danger patterns, which is unrelated to the stated legal summarization function. In a legal context, this is especially risky because case folders may contain privileged, confidential, or regulated material, and the scanner can surface sensitive snippets into generated reports.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill audit/compliance reporting capability inspects repository structure and frontmatter for arbitrary skill directories, which is unrelated to legal intake summarization and allows broader filesystem inspection than users would expect. While not directly executing code, it can disclose file presence, metadata, and repository contents that may be sensitive in multi-project or shared environments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal