ClawHub

Legal Doc Writer

Security checks across malware telemetry and agentic risk

Overview

This is a Chinese tax-law document drafting aid with templates and no executable code, hidden data flow, credential use, or persistence.

Use this only for PRC tax/legal document drafting or review. Treat outputs as draft legal work product, verify citations, deadlines, and calculations independently, and avoid providing unnecessary confidential client information. Also review any helper skills it invokes, such as law research, case research, tax calculation, or docx export skills, before relying on those steps.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation description is very broad, covering nearly any request involving drafting, reviewing, or modifying tax-related legal documents, without clear boundaries or eligibility checks. In an agent environment, this can cause inappropriate auto-invocation, leading the model to apply legal-specialist workflows when the user's intent is ambiguous, increasing the risk of unauthorized legal guidance, incorrect task routing, or over-collection of sensitive facts.

Natural-Language Policy Violations

Medium
Confidence
85% confidence
Finding
The skill is explicitly framed around Chinese tax and legal document drafting and prescribes Chinese legal citation and formatting conventions, but it does not state that this locale restriction must be selected or confirmed by the user. If invoked for users in other jurisdictions or language contexts, it may silently impose China-specific legal assumptions, producing misleading legal content or routing sensitive matters into the wrong regulatory framework.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal