中国裁判文书类案检索报告(得理科技)
WarnAudited by ClawScan on May 11, 2026.
Overview
This skill’s legal-search purpose is coherent, but its API script disables HTTPS certificate checks while sending an API key and potentially confidential case facts.
Review this skill before use. It appears purpose-aligned for legal case retrieval, but do not use it with real client matter details until TLS certificate verification is fixed. If you proceed, protect the Delilegal API key, redact unnecessary confidential facts, and independently verify the generated legal report before relying on or submitting it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A network attacker or malicious proxy could impersonate the API service and intercept the user’s API key and legal search contents.
The script sends a bearer API key to a remote HTTPS endpoint while explicitly disabling server hostname and certificate validation.
headers={"Content-Type": "application/json", "Authorization": "Bearer " + apikey} ... ctx.check_hostname = False ... ctx.verify_mode = ssl.CERT_NONERemove the custom insecure SSL settings and use Python’s default certificate validation; rotate the API key if this script has already been used on untrusted networks.
Confidential client or case facts may leave the local environment as part of the intended search workflow.
The documented workflow can send user-provided case-material text to the Delilegal external API for semantic matching.
端点:`https://platform.delilegal.com/api/v1/generice/case/list` ... 长文本语义匹配 `--long-text "案件材料文本"`
Use this only when external processing by the provider is acceptable, redact unnecessary sensitive details, and confirm any confidentiality or professional-duty requirements before uploading case materials.
The API key may grant access to the user’s Delilegal account or quota if copied, leaked, or intercepted.
The skill expects the user to place a provider API credential in a local configuration file.
{"apikey": "YOUR_API_KEY"}Keep config.json private, use a restricted API key if available, and rotate the key if it may have been exposed.