ClawHub
Back to skill
v1.0.1

Legal Consulting Bundle

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:21 AM.

Analysis

The artifacts describe a coherent legal-consulting web app with purpose-aligned legal knowledge and optional DeepSeek LLM use, with privacy and setup details users should review.

GuidanceThis skill appears coherent and purpose-aligned. Before installing or deploying it, decide whether you are comfortable sending legal questions or contract text to DeepSeek, redact sensitive details where possible, configure the API key carefully, and avoid granting broad file/write access beyond the documents you want reviewed.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityInfoConfidenceHighStatusNote
SKILL.md
allowed-tools:
  - Read
  - Write
  - WebSearch
  - WebFetch

The skill requests file read/write and web access; these are plausible for legal document review and research, but broad enough that users should keep usage task-scoped.

User impactIf invoked with broad permissions, the agent could read or write local files or browse/fetch web content while helping with legal tasks.
RecommendationUse the skill only on documents you intend to analyze, ask before saving generated reports, and prefer narrowly scoped file paths.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceMediumStatusNote
SKILL.md
copy .env.example .env

The setup instructions reference a .env.example file, but that file is not listed in the provided manifest.

User impactSetup may be incomplete or unclear, especially for configuring the optional DeepSeek key safely.
RecommendationProvide the referenced .env.example file or update the setup instructions to show exactly which variables are optional and how to configure them.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
main.py
DEEPSEEK_API_KEY = os.getenv("DEEPSEEK_API_KEY", "") ... "Authorization": f"Bearer {DEEPSEEK_API_KEY}"

The app can use a DeepSeek API key, but the registry metadata declares no required or optional environment variables.

User impactA user who configures this key is delegating paid/provider access to the app; if the app is deployed publicly, the endpoint could consume that provider quota.
RecommendationDeclare DEEPSEEK_API_KEY in metadata, document its scope and cost implications, and add authentication or rate limits if deploying beyond localhost.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
main.py
DEEPSEEK_API_URL = "https://api.deepseek.com/v1/chat/completions" ... {"role": "user", "content": user_prompt}

When configured with an API key, the app sends the user's legal question to an external LLM provider.

User impactContracts, disputes, employment facts, or business compliance details entered into the app may be shared with DeepSeek for analysis.
RecommendationBefore using with sensitive legal material, confirm the provider’s privacy terms, redact unnecessary personal data, and add clear user-facing disclosure or consent.