App Legal Pages

v0.1.6

Generate and deploy app Privacy Policy and Terms of Service static websites from an app feature document. Use when a user provides app requirements/feature d...

⭐ 0· 401·0 current·0 all-time

by@chentuan7963-afk

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for chentuan7963-afk/app-legal-pages.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "App Legal Pages" (chentuan7963-afk/app-legal-pages) from ClawHub.
Skill page: https://clawhub.ai/chentuan7963-afk/app-legal-pages
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install chentuan7963-afk/app-legal-pages

ClawHub CLI

Package manager switcher

npx clawhub@latest install app-legal-pages

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

high confidence

✓

Purpose & Capability

Name/description, SKILL.md, and included scripts (generate, check, deploy, pipeline) are coherent: the skill generates static Privacy/Terms HTML, checks consistency, and can deploy to Cloudflare Pages via wrangler or API token.

Instruction Scope

SKILL.md explicitly forbids placeholder markers and says never to assume jurisdiction, yet the provided example output pages contain 'TODO_LEGAL_REVIEW' placeholders and the example Terms hardcodes 'Governing Law: China'. The consistency checker also flags placeholders and unexpected governing-law clauses — the examples contradict the guardrails and would cause the checker to fail. The instructions otherwise confine actions to generating, checking, reviewing, and deploying the site files.

ℹ

Install Mechanism

No install spec (instruction-only) which reduces risk, but the deploy script relies on an external CLI (wrangler) and uses subprocess.run to call it; users will need to install wrangler/npm tools manually. No remote download or obscure installer is present.

Credentials

Registry metadata declares no required env vars, but the deploy script checks and can use CLOUDFLARE_API_TOKEN and CLOUDFLARE_ACCOUNT_ID (or wrangler login). That credential usage is expected for Cloudflare deployment, but the metadata omission is a mismatch that should have been declared. Example files and SKILL.md use a specific Gmail address in examples (chentuan7963@gmail.com), which is unusual in samples and may confuse users about required contact info.

✓

Persistence & Privilege

The skill is not always-enabled and does not request elevated platform privileges. It does not modify other skills or system-wide configuration. Autonomous invocation is allowed (platform default) but not itself a red flag here.

What to consider before installing

This skill appears to implement what it promises (generate, check, and deploy legal pages), but there are some red flags you should address before using it or giving it credentials: - Do not deploy automatically until you manually inspect generated files. The sample output contains a 'TODO_LEGAL_REVIEW' placeholder and a hardcoded governing-law line ('China') that contradict the skill's own guardrail against assuming jurisdiction. These placeholders would trigger the consistency checker and indicate the generator may include unverifiable or inappropriate text. - The package metadata lists no required env vars but the deploy script will look for CLOUDFLARE_API_TOKEN and CLOUDFLARE_ACCOUNT_ID (or require 'wrangler' login). Treat those credentials as sensitive: only provide them after you review the code and are comfortable with the repository and runtime. Prefer to run deployment yourself rather than passing tokens to an untrusted agent. - Example files embed a real Gmail address in examples. Replace any example addresses with your own or placeholder emails before publishing, and confirm the email-generation rules (plus-addressing) are acceptable. - Recommended steps before trusting this skill: run the generator locally with a test feature doc in an isolated environment, inspect privacy.html and terms.html for placeholders, unwanted jurisdiction or data-sharing claims, and verify the consistency checker behavior; only then proceed to deployment, and when deploying use a least-privilege Cloudflare API token scoped solely to Pages and a dedicated account/project. If the author updates the skill to remove hardcoded example PII, remove placeholder content from examples, and declare the optional Cloudflare env vars in metadata, the inconsistencies would be resolved and the skill would look much more trustworthy.

Like a lobster shell, security has layers — review code before you run it.

cloudflarevk975trjw08kbtb1s2n5sz96hwd82a6d7githubvk975trjw08kbtb1s2n5sz96hwd82a6d7latestvk975trjw08kbtb1s2n5sz96hwd82a6d7legalvk975trjw08kbtb1s2n5sz96hwd82a6d7privacyvk975trjw08kbtb1s2n5sz96hwd82a6d7termsvk975trjw08kbtb1s2n5sz96hwd82a6d7

401downloads

0stars

7versions

Updated 14h ago

v0.1.6

MIT-0

App Legal Pages

Generate a complete legal mini-site for an app:

index.html (legal home)
privacy.html (Privacy Policy)
terms.html (Terms of Service)
styles.css (shared styles)

Workflow

Collect required legal/product inputs.
Generate draft legal pages from feature documentation.
Run strict consistency checker.
Present generated pages for user review/approval.
Check Cloudflare deployment auth readiness.
Ask user to complete auth if missing.
Auto-deploy to Cloudflare Pages after explicit confirmation.
Return final public URLs.

1) Collect Inputs

Collect or confirm:

App name
Company/entity name (or individual publisher name)
Contact email
Governing law jurisdiction (country/region, optional; only if explicitly provided)
Effective date
App feature document (markdown/text)
Data behavior details:
- Analytics events
- Crash/error logs
- Identifiers (device/user IDs)
- Third-party SDKs/services
- Permissions used (camera/location/photos/mic/contacts/tracking/notifications)

If facts are unknown, pause and ask for missing inputs before generation. Do not output placeholder markers (no TODO/TEMP strings in final pages). Never assume jurisdiction, region, analytics/tracking, sharing, or permission usage unless explicitly stated in the input document or user prompt. Generate policy clauses from explicit product claims first (e.g., offline-only, no cloud, no tracking, no analytics), and avoid introducing contradictory generic legal boilerplate.

2) Generate Draft Site

Run:

python3 scripts/generate_legal_site.py \
  --input /path/to/app-feature.md \
  --out ./out/legal-site \
  --app-name "Your App" \
  --company "Your Company" \
  --base-email "chentuan7963@gmail.com" \
  --email-tag "quillnest" \
  --effective-date "2026-03-03" \
  --jurisdiction "California, United States"

Email rule:

Prefer plus-address derivation from GitHub/base email + app tag.
Example: chentuan7963@gmail.com + quillnest => chentuan7963+quillnest@gmail.com.
Use --email only when you explicitly want a fixed address.

Language rule:

Generate English-only legal pages by default.
Exclude non-English feature bullets from Feature Context to keep language consistent.

The script auto-detects likely data categories/permissions from the feature text. Manually review and adjust output if app behavior is more specific than heuristic detection.

3) Run Strict Consistency Checker

Run before publishing:

python3 scripts/check_consistency.py \
  --feature /path/to/app-feature.md \
  --privacy ./out/legal-site/privacy.html \
  --terms ./out/legal-site/terms.html

The checker fails on:

Placeholder tokens (TODO/TEMP/FIXME)
Contradictions against explicit product claims (offline/no-cloud/no-tracking/no-analytics)
EXIF mention in feature doc without corresponding privacy disclosure
Governing-law section in Terms when jurisdiction is not explicitly provided

4) Validate Draft Quality

Check before publishing:

privacy.html and terms.html both exist.
App/company/email/effective date are consistent across pages.
Privacy disclosures match only explicitly stated permissions and data behavior (no inferred tracking/region claims).
User rights and contact/deletion request path are present.
No unverifiable legal claims.
Final pages contain no placeholder markers (forbidden: TODO/TEMP/FIXME).

If the app uses sensitive permissions or SDKs, verify these are explicitly disclosed in Privacy Policy.

5) Review Gate (Mandatory)

Before deployment, share generated files with the user and ask for explicit approval to deploy. Do not deploy automatically without user confirmation.

6) Check Deployment Auth

Run auth readiness check:

python3 scripts/deploy_cloudflare_pages.py --check-auth --site-dir ./out/legal-site --project-name your-project-name --production-branch main

Auth is valid when either:

CLOUDFLARE_API_TOKEN + CLOUDFLARE_ACCOUNT_ID are set, or
wrangler whoami succeeds.

If auth is missing, ask the user to authenticate:

wrangler login

7) Auto-Deploy to Cloudflare Pages

After explicit approval + auth ready:

python3 scripts/deploy_cloudflare_pages.py \
  --site-dir ./out/legal-site \
  --project-name your-project-name \
  --production-branch main

Or use one-shot pipeline:

python3 scripts/run_pipeline.py \
  --feature /path/to/app-feature.md \
  --out ./out/legal-site \
  --app-name "Your App" \
  --company "Your Company" \
  --base-email "you@gmail.com" \
  --email-tag "yourapp" \
  --effective-date "2026-03-05" \
  --project-name your-project-name \
  --production-branch main \
  --confirm-deploy

App Legal Pages

Install with OpenClaw

CLI Commands

App Legal Pages

Workflow

1) Collect Inputs

2) Generate Draft Site

3) Run Strict Consistency Checker

4) Validate Draft Quality

5) Review Gate (Mandatory)

6) Check Deployment Auth

7) Auto-Deploy to Cloudflare Pages

8) Returnables

Guardrails

Comments