Back to skill
Skillv1.0.0
ClawScan security
Legal Due Diligence Checklist · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 26, 2026, 2:17 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is a document-only, descriptive skill that produces legal due diligence checklists and templates, requires no credentials or installs, and its instructions align with the stated purpose.
- Guidance
- This package is document-only and internally consistent with its stated purpose, so the immediate risk is low. Still: do not paste privileged or confidential client documents or sensitive personally identifiable information into prompts; treat outputs as informational templates only and verify all legal points with qualified counsel before relying on them; if a later version adds code (handler.py), network calls, or requests credentials, stop and re-evaluate provenance and permissions before using. If provenance matters to you, prefer skills from known publishers or ask the publisher for contact/verification details.
Review Dimensions
- Purpose & Capability
- okName, description, and manifest (skill.json, README.md, SKILL.md) consistently describe a descriptive checklist/template generator. There are no requested binaries, env vars, config paths, or install steps that are unrelated to the stated purpose. ACCEPTANCE.md explicitly forbids code or network calls, which matches the skill's description.
- Instruction Scope
- okSKILL.md limits the skill to collecting user-provided facts/context and producing frameworks, checklists, templates, and prompts. It does not instruct the agent to read system files, access environment variables, call external endpoints, or execute commands. It also includes explicit safety/legal limitations and attorney-review reminders.
- Install Mechanism
- okThere is no install spec and no code files. This is the lowest-risk model: nothing is downloaded or written during install. The package is documentation-only.
- Credentials
- okThe skill requests no environment variables, no credentials, and no config paths. No sensitive tokens or unrelated service keys are requested or required.
- Persistence & Privilege
- okalways is false (default). The skill does not request permanent presence or modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but does not raise additional concerns given the skill's descriptive-only nature.