ClawHub
Back to skill
v2.0.1

Legal Advisor

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:47 AM.

Analysis

The skill appears to be a coherent legal-template helper with no evidence of credential use, data exfiltration, destructive actions, or hidden network behavior, though its runnable bash/Python helpers are under-declared in metadata.

GuidanceThis looks safe from an agentic-security perspective, but users should understand that bundled scripts may run locally with bash/python if invoked. Also treat generated legal templates as informational drafts and consult a qualified lawyer before relying on them for real disputes.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
metadata
Required binaries (all must exist): none ... Install specifications: No install spec — this is an instruction-only skill.

The registry presents the skill as instruction-only with no binary requirements, but SKILL.md lists bash 4+ and python3 and the manifest includes executable shell scripts. This is not suspicious by itself, but the runtime expectations are under-declared.

User impactA user or agent may need local bash and Python to use the bundled helper scripts even though the registry metadata does not advertise those requirements.
RecommendationDeclare bash and python3 requirements, and clarify whether the scripts are optional helpers or intended entry points.
Unexpected Code Execution
SeverityInfoConfidenceHighStatusNote
scripts/legal.sh
#!/usr/bin/env bash ... python3 - "$CMD" "$QUERY" << 'PYEOF'

The skill includes executable shell code that launches inline Python. The visible behavior is purpose-aligned template generation and does not show unsafe downloads, eval, network calls, or destructive commands.

User impactIf the agent is allowed to run bundled scripts, local code execution occurs, but the visible code is limited to generating legal-reference output.
RecommendationKeep script execution user-directed, and document the script commands so users understand when local code will run.