ClawHub

AI legal assistant for Indian advocates and lawyers

Security checks across malware telemetry and agentic risk

Overview

This is a text-only Indian legal-assistant skill whose sensitive document handling is disclosed and aligned with legal drafting and practice-management work.

Install only if you are comfortable using the hosting platform for confidential legal material. Prefer redacted documents, avoid pasting full Aadhaar, PAN, bank, or unnecessary client identifiers, verify all legal citations before filing, and invoke the skill deliberately for Indian legal work because some activation phrases are broad.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
96% confidence
Finding
The skill’s trigger scope is extremely broad, including generic phrases like "my client," "matter," "brief," "HC," and "SC," plus "any Indian legal proceeding." This can cause unintended invocation on loosely related conversations, unnecessarily exposing sensitive user content to the skill’s legal workflow and increasing the chance of inappropriate legal-style responses in non-legal contexts.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The client intake template solicits multiple high-risk identifiers such as Aadhaar, PAN, date of birth, address, and contact details, but provides only a minimal Aadhaar redaction note and no clear privacy, retention, access-control, or minimization guidance. In a legal-assistance skill, users may paste real client data directly into chat or files, increasing the chance of unnecessary collection, overexposure, and downstream disclosure of sensitive personal information.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal