Back to skill
Skillv1.0.0
ClawScan security
Legal Contract Review Playbook · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 26, 2026, 1:08 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is a document-only, descriptive legal-workflow skill that does not request credentials, install code, or call external services — its declared behavior matches its files and instructions.
- Guidance
- This package appears coherent and low-risk because it is instruction-only and requests no credentials or installs. Before using it: (1) do not paste privileged, confidential, or client-identifying documents into the chat — redact or anonymize sensitive data; (2) remember the skill is informational only and not a substitute for jurisdiction-specific counsel — verify all conclusions with a qualified attorney; (3) note that the package's source/homepage are not provided in the registry metadata, so if provenance is important to you, consider asking the publisher for source or hosting details; and (4) review your organization’s policies on sharing legal materials with third-party tools before use.
Review Dimensions
- Purpose & Capability
- okName, description, and files consistently describe a descriptive contract-review playbook. The package requests no binaries, env vars, or installs, which is proportionate for a text/template/checklist skill.
- Instruction Scope
- noteSKILL.md confines the agent to producing frameworks, checklists, and templates and explicitly disclaims legal advice. It asks the agent to solicit facts, documents, jurisdiction, deadlines, and audience from the user — which is reasonable — but that practice means users may be prompted to paste sensitive or privileged information. The skill itself does not instruct reading local files or contacting external endpoints.
- Install Mechanism
- okNo install spec and no code files are present (instruction-only), so there is nothing written to disk or fetched during installation. This is the lowest-risk install profile.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The skill does not require access to external APIs or secrets and its declared needs align with its stated purpose.
- Persistence & Privilege
- okalways is false and disable-model-invocation is false (normal). The skill does not request persistent presence, system privileges, or modification of other skills' configuration.