ClawHub

Legal Consulting Bundle

Security checks across malware telemetry and agentic risk

Overview

This is a coherent legal-consulting web app, but users should treat its legal and privacy handling as informational and sensitive.

Install only if you are comfortable using it as an informational legal assistant. Do not rely on it as licensed legal advice, redact unnecessary personal or business details, avoid submitting privileged or confidential documents unless DeepSeek use is acceptable to you, and grant file/write access only to documents and reports involved in the current task.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README markets AI-generated legal analysis and contract review as a fast substitute for expensive lawyer consultation, but does not clearly warn that outputs are not licensed legal advice. In a legal domain, users may rely on incomplete or incorrect model output for contracts, disputes, or compliance decisions, which can directly cause financial loss, unenforceable agreements, or regulatory exposure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documented API accepts free-form legal questions and case descriptions, which are likely to contain personal data, employment details, company secrets, dispute facts, contracts, and other sensitive information. The README does not disclose data handling, retention, third-party model sharing, or privacy expectations, increasing the risk of sensitive legal information being submitted without informed consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill requests Write, WebSearch, and WebFetch capabilities but does not disclose that user-provided legal documents or queries may be transmitted externally or that local files could be modified. In a legal-consulting context, this is more sensitive than usual because contracts, dispute facts, company data, and intellectual-property materials often contain confidential or regulated information.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The consultation endpoint sends user questions and embedded legal context to a third-party LLM API, but this code path shows no consent flow, warning, redaction, or data-minimization control before transmission. Because this skill is for legal consulting, users may submit contracts, labor disputes, identity details, or other highly sensitive information, making undisclosed external transfer a meaningful privacy and confidentiality risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal