Legal Intake Agent
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill’s legal-intake purpose is coherent, but it asks for sensitive client data and law-firm system access without clearly limiting permissions, privacy handling, or safety enforcement.
Do not connect this directly to production legal systems until you have verified the ThumbGate package, limited CRM/calendar permissions, documented where client data goes, and required attorney review for conflict, statute, and consultation decisions.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could create or block consultations and affect legal lead handling without clear supervision controls.
Booking into legal CRMs or calendars is a high-impact account mutation. The artifacts do not specify per-booking approval, calendar scope, rollback, or limits on when the agent may book or refuse consultations.
Books paid or free consultations directly into Clio, MyCase, or Google Calendar.
Require explicit user or attorney approval for bookings and denials, define allowed calendars/CRMs, and document reversal and audit procedures.
Over-broad CRM or automation permissions could expose or alter sensitive law-firm records beyond intake scheduling.
Syncing intake data into legal CRMs through Make.com requires delegated access to firm accounts, but the artifacts do not declare credential requirements, OAuth scopes, or permission boundaries.
**CRM Automation:** Use [Make.com](https://make.com) to sync intake data into Clio, MyCase, or PracticePanther.
Use least-privilege service accounts, document exact OAuth scopes and CRM objects touched, and require review before granting production CRM access.
Potential client names, claim details, conflict information, and scheduling data may be processed by third parties without clear privacy controls.
The workflow routes voice/text intake and legal lead data through external providers, but the artifacts do not describe identity validation, data retention, consent, or boundaries between providers.
**Voice/Phone:** Use our [ElevenLabs](https://elevenlabs.io/affiliates) link ... **CRM Automation:** Use [Make.com](https://make.com) to sync intake data
Document every provider that receives intake data, configure retention and access controls, and ensure client-consent and confidentiality requirements are met before deployment.
A law firm may overtrust the agent to prevent unauthorized legal advice or liability even though enforcement is not demonstrated in the reviewed artifacts.
The artifacts make strong safety and liability claims, but the submitted skill is instruction-only and does not include enforceable guardrail code or validation evidence.
ThumbGate rules that physically BLOCK the AI from giving legal advice or making promises it can't keep. It captures the lead without creating liability.
Treat the ThumbGate claims as unverified until tested, and require attorney-supervised scripts, logs, and compliance validation before public use.
Installing an unpinned external package can introduce code that was not reviewed with this skill.
This is a user-directed setup command, but it downloads/runs an external package without a pinned version or included reviewed source, and that package is central to the claimed safety mechanism.
Install ThumbGate: `npx thumbgate init --agent openclaw`
Pin the package version, verify the package source, and test it in a non-production environment before connecting law-firm systems.