ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Legal Consulting Bundle

v1.0.1

中国法律咨询AI技能套装 - 基于中国法律知识库,提供合同审查、法律问答、合规检查等AI自动化服务。 覆盖民法典、劳动合同法、公司法等核心法规,帮中小企业和个人用户快速获取法律分析,降低法律咨询成本。

0· 66·0 current·0 all-time
by@daimingvip-a11y
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code, knowledge files, SKILL.md and README align with a legal-consulting web app offering contract review, QA, compliance, labor, IP and debt-collection modules. However there are mismatches: the law_map in main.py references keys (e.g., 'labor_contract_law', 'trademark_law') that are not present in the provided knowledge_base, and SKILL.md/README reference a .env.example but no .env.example is in the manifest. These indicate sloppy/incomplete packaging rather than a capability mismatch.
!
Instruction Scope
SKILL.md instructs pip install and running main.py. main.py loads environment variables (via dotenv) and — if DEEPSEEK_API_KEY is set — forwards user prompts + local knowledge context to https://api.deepseek.com/v1/chat/completions. The SKILL.md does not declare this environment variable or clearly warn that user inputs will be sent to an external API. The instructions also reference copying a .env.example file that is not included.
Install Mechanism
No install spec in registry; runtime instructions rely on pip install -r requirements.txt (requirements are typical: FastAPI, uvicorn, httpx, etc.). There are no downloads from arbitrary URLs or archive extraction. Installing dependencies via pip is expected for this type of project.
!
Credentials
The repository does not declare any required env vars, yet main.py reads DEEPSEEK_API_KEY (and uses dotenv). Supplying that key will cause potentially sensitive user inputs and appended local knowledge to be sent to DeepSeek. The absence of a declared primaryEnv or any env documentation in SKILL.md is an incoherence and a privacy/exfiltration risk if a key is provided without clear notice.
Persistence & Privilege
The skill is not force-enabled (always: false) and does not request system-wide privileges. It creates/uses directories under its package (templates, static, knowledge_base, skills) and runs a local web server — standard for a web app. It does not modify other skills or system configs.
What to consider before installing
What to consider before installing: - The code will run a local FastAPI web app and (optionally) call an external LLM service (DeepSeek) if you provide DEEPSEEK_API_KEY. The SKILL.md/manifest do not list this env var even though main.py reads it — do not set an API key unless you trust DeepSeek and understand that user queries (and included knowledge/context) will be transmitted to that external service. - .env.example referenced by the README/SKILL.md is missing from the package. Inspect any .env you create carefully — do not paste secrets or sensitive personal data into the service while testing. - The knowledge mapping in code references some law files that are not included; expect some features to use fallback templates rather than a full LLM analysis. Test in 'template mode' (no DEEPSEEK_API_KEY) to avoid external calls; template mode returns canned responses. - Run the app in an isolated environment (container or VM) and bind the server to localhost only if you do not want it exposed on the network. Review the code paths that call httpx.post and any other network calls before providing credentials. - If you need this functionality but are not comfortable with the unknown external LLM, consider removing/modifying the external call (call_llm) or replacing it with a vetted LLM provider and explicitly document required env vars. - Summary action items: inspect main.py, do not set DEEPSEEK_API_KEY unless you accept data sharing, create a local .env for safe testing, and run in an isolated environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e7adcejnw1r6yhaac66s8b983nh9m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments