中国法律法规检索(得理科技)
WarnAudited by ClawScan on May 11, 2026.
Overview
The skill largely matches its legal-search purpose, but it disables HTTPS certificate checks while sending your API key and search queries, making it risky to use as-is.
Use caution before installing. The legal-search behavior is coherent, but you should not enter a real API key or rely on retrieved results until the script is fixed to verify HTTPS certificates and hostnames. Also verify the publisher/source because the registry metadata lacks a homepage or source repository.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your legal searches and API key may not be protected against man-in-the-middle interception or result manipulation.
The script sends the user's Bearer API key and legal search query to the provider API while disabling certificate and hostname validation, so a network attacker could potentially intercept the token, view queries, or tamper with results.
"Authorization": "Bearer " + apikey ... ctx.check_hostname = False ... ctx.verify_mode = ssl.CERT_NONE
Do not use a real API key until TLS verification is restored. Remove the custom insecure SSL context and rely on default certificate validation, or implement proper certificate verification.
Anyone who can read the skill's config.json may be able to use your provider API key or consume your API quota.
The skill requires a user-provided Deli Legal API key and stores it in the skill directory. This is purpose-aligned for the provider API, but it is still account/credential material.
鉴权方式:`Authorization: Bearer YOUR_API_KEY` ... 将 API Key 填入技能目录下的 `config.json` 文件
Store the API key with appropriate file permissions, avoid sharing the skill directory, and rotate the key if it may have been exposed.
It is harder to verify the publisher, review updates, or confirm that the code matches the claimed provider.
The skill includes executable Python code and asks for a provider API key, but the registry metadata does not provide a source repository or homepage for independent verification.
Source: unknown; Homepage: none
Verify the publisher and API endpoint independently before adding credentials, and prefer a version with clear source or homepage metadata.