Dispute Letter

PassAudited by ClawScan on May 1, 2026.

Overview

This looks like a simple dispute-letter template tool, with some packaging and local-storage details users should notice before relying on it.

This skill appears safe to use as a local template generator, but verify the actual commands first and be careful with sensitive dispute details because one included helper script can keep local logs/data under ~/.local/share/dispute-letter or a directory set by DISPUTE_LETTER_DIR.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI09: Human-Agent Trust Exploitation

What this means

The tool may not provide the specific dispute-letter modes it advertises, so a user could rely on incomplete or mismatched functionality.

Why it was flagged

The advertised command list differs from the included scripts, which implement commands such as consumer, credit, contract, and landlord, plus a separate generic utility script. This may confuse users about what the skill actually supports.

Skill content

consumer        consumer
  landlord        landlord
  employer        employer
  insurance       insurance
  bank            bank
  template        template

Recommendation

Check the actual available commands before use and review generated letters carefully, especially for legal or financial disputes.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Installation or invocation may be less predictable than the registry metadata suggests.

Why it was flagged

The registry presents the skill as instruction-only with no required binaries, while the artifact bundle includes executable shell scripts; scripts/dispute.sh also invokes python3. This is an under-declared packaging/dependency detail.

Skill content

No install spec — this is an instruction-only skill. Code file presence: 2 code file(s): scripts/dispute.sh; scripts/script.sh

Recommendation

Confirm how the command is installed and ensure bash/python3 are expected before using the skill.

Low

#ASI06: Memory and Context Poisoning

What this means

Complaint, legal, financial, or personal details entered into these helper commands may remain on disk after use.

Why it was flagged

The helper script can create persistent local data and history files containing command arguments or added entries. This is local-only and partly disclosed by the data-directory setting, but dispute details can be sensitive.

Skill content

DATA_DIR="${DISPUTE_LETTER_DIR:-${XDG_DATA_HOME:-$HOME/.local/share}/dispute-letter}"
DB="$DATA_DIR/data.log"
mkdir -p "$DATA_DIR"
_log() { echo "$(date '+%m-%d %H:%M') $1: $2" >> "$DATA_DIR/history.log"; }
cmd_add() {
    echo "$(date +%Y-%m-%d) $*" >> "$DB"; echo "  Added: $*"

Recommendation

Avoid storing sensitive details unless needed, set DISPUTE_LETTER_DIR to a location you control, and delete the local data/history files when finished.