ClawHub

Attorney

Security checks across malware telemetry and agentic risk

Overview

This is a plain-text attorney-navigation skill with broad legal triggers, but it is disclosed, purpose-aligned, and does not request code execution, credentials, or privileged access.

Install this if you want help organizing legal questions, deciding when to contact a lawyer, and preparing for attorney interactions. Treat outputs as informational triage, not legal advice; confirm before using it on sensitive documents, avoid sharing unnecessary privileged details, and consult a licensed attorney for jurisdiction-specific or high-stakes matters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The examples present legal-guidance prompts and model responses as ready-to-use assistance without clearly stating that the output is informational and not a substitute for licensed legal advice. In a legal-assistance skill, users may reasonably rely on the agent for jurisdiction-specific or case-specific decisions, which can lead to harmful actions, missed deadlines, waiver of rights, or other adverse legal consequences.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The opening trigger instructs the agent to run on very broad language such as 'I have a new legal situation,' which can easily match ordinary discussion rather than an intentional skill invocation. In a legal-assistance skill, unintended activation is risky because it may cause the agent to over-handle sensitive legal issues, collect unnecessary personal information, or give workflow-driving guidance when the user was only conversing generally.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The document-receipt trigger is framed as 'Run immediately when any legal document arrives,' which is ambiguous and overly broad for a domain involving deadlines, legal consequences, and highly sensitive content. This increases the chance of accidental triggering on routine mentions of contracts, notices, or summaries, potentially causing the agent to ingest confidential material or provide urgent-seeming guidance without confirming scope or jurisdiction.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list includes broad terms such as "legal advice," "court," "lawsuit," and "legal document," which can cause the skill to activate for many general legal discussions rather than only when the user wants attorney-navigation help. Over-broad activation can route users into an inappropriate workflow, increasing the risk of irrelevant guidance, missed intent, or over-collection of sensitive legal details in contexts where the skill was not actually requested.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal