ClawHub

Policy Lawyer

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill coherently reads a small policy reference document or a user-specified policy file and has no evidence of hidden execution, credential use, network access, or destructive behavior.

This appears safe for normal policy lookup. Before installing, be aware that it can read whichever local policy file path it is given, and treat policy output from other workspaces as untrusted until you verify it.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
Low
What this means

If invoked with the wrong file path, the skill may print contents from a local file that was not meant to be used as a policy reference.

Why it was flagged

The CLI can read a local file path supplied by the user. This is expected for comparing policy documents, but it means users should avoid pointing it at unrelated private files.

Skill content
parser.add_argument("--policy-file", type=Path, default=Path(__file__).resolve().parent.parent / "references" / "policies.md", help="Path to the policy reference document.")
Recommendation

Use --policy-file only with intended, trusted policy documents and review output before quoting it as authoritative.

#
ASI06: Memory and Context Poisoning
Low
What this means

Following the quoted policy could create persistent records about sensitive actions, which may be useful for audits but should not include secrets or excessive private details.

Why it was flagged

The policy content that this skill may quote recommends persistent logging of sensitive actions. The skill does not write those logs itself, but users should be careful about what sensitive details get persisted if they follow the policy.

Skill content
Log every sensitive action in `memory/YYYY-MM-DD.md` so auditors can reconstruct decisions.
Recommendation

When following this policy, log only necessary audit information and avoid storing secrets, tokens, or private file contents in memory logs.