智合法律研究
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its legal-research purpose, but it handles account tokens through under-disclosed local credential files and can print/export the token, so credential handling needs review.
Install only if you are comfortable sending your legal questions to the 智合 AI service and storing a login token, phone number, and research reports locally. Before use, review or disable the ~/.openclaw/.env fallback and token export command, and delete local archives when they are no longer needed.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may use a token from a global OpenClaw config file unexpectedly, and sourcing that file gives the script access to more local credential/config context than the main documentation suggests.
SKILL.md says configuration is self-contained under the skill's assets directory, but this script falls back to sourcing a broader OpenClaw env file from the user's home directory.
if [[ -z "$LEGAL_RESEARCH_TOKEN" && -f "${HOME}/.openclaw/.env" ]]; then
source "${HOME}/.openclaw/.env" 2>/dev/null || trueRemove this fallback or clearly document it in SKILL.md and metadata; parse only the specific LEGAL_RESEARCH_TOKEN value instead of sourcing an entire home-directory env file.
A saved login token could be exposed outside the local config file and reused by anyone who obtains the output.
The included token manager can print the full bearer token to stdout, which can place the credential into agent output, logs, or conversation context if invoked.
export_token() {
...
echo "LEGAL_RESEARCH_TOKEN=${LEGAL_RESEARCH_TOKEN}"Do not export full tokens to stdout by default; require explicit user confirmation, keep display masked, and document any credential export behavior clearly.
Legal questions and reports may contain sensitive facts and will remain on disk after the conversation unless the user removes them.
The skill intentionally saves research results and downloaded reports into a persistent local archive.
自动归档(下载报告到 archive/ 目录,含 Markdown 转换)
Tell users where archives are stored, how to delete them, and to avoid submitting confidential legal/client details unless they are comfortable with local storage and provider processing.
The optional background-monitor workflow may fail or depend on a missing/unreviewed script.
The documentation references an optional monitor.sh background helper, but the supplied file manifest includes only auth.sh, research.sh, and token-manager.sh, so that helper is not reviewable here.
./scripts/monitor.sh monitor <task_id> 600 30
Either include and review monitor.sh, or remove the optional background-monitor instructions from the skill documentation.
If used in a compatible environment, the skill may keep working after the initial response to monitor completion and save results.
The optional Claude Code mode starts a background monitor for up to 10 minutes and auto-archives results; it is disclosed and scoped, but it is still background agent activity.
run_in_background: true timeout: 600000
Use the standard user-initiated polling flow unless the user explicitly wants background monitoring, and make the timeout and archive behavior clear.