ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

蒋道理|撤三证据链与风险审核引擎(SJ-IRAC)

v3.0.1

CNIPA撤三(连续三年不使用)双轨证据引擎:答辩证据链构建 + 质证审计(SJ-6 + IRAC + 风险A–E)。

0· 1.8k·2 current·2 all-time
byJiang Zhongling|SJ-IRAC Trademark Systems@jisngzhongling
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (撤三证据链/风险审核) aligns with included Python scripts and YAML rules: OCR, PDF/Office parsing, date extraction, rule-based scoring, document generation and a local web/desktop UI. Required packages in requirements.txt match the code usage (pandas, openpyxl, python-docx, pypdf, PyMuPDF, PyYAML). No unrelated cloud credentials or extraneous binaries are requested.
Instruction Scope
SKILL.md describes inputs (reg no, class, goods, period, evidence) and modes (build/audit); code reads user-supplied evidence directories, parses/normalizes files, runs OCR and converters, and outputs documents and validations. The instructions do not ask for unrelated system files or secrets. Note: the tool copies/links user files into a working directory and may read many local files as part of normal operation.
Install Mechanism
There is no automated install spec in the registry (instruction-only), but the package includes full source and an INSTALL.md that expects creating a virtualenv and pip installing requirements.txt. Dependencies are from common Python packages; conversion relies on external binaries (soffice/pdftoppm/tesseract) that the user must install. This is proportionate to the stated functionality but requires native tools.
Credentials
The skill does not request environment variables, credentials, or external tokens in registry metadata. Code does consult an optional NONUSE_DOCX2PDF_TIMEOUT env var (for timeout control), which is reasonable. No evidence of requesting unrelated secrets.
Persistence & Privilege
Registry flags: always=false and model invocation enabled (default). The tool runs as a local process and optionally starts a local HTTP UI. Be aware: the web UI by default appears to run without authentication (WEBUI_REQUIRE_AUTH defaults to False and WEBUI_AUTH_TOKEN empty) — the desktop launcher uses localhost by default, but if the server is started binding a non-local address it could be reachable from the network. No indication it modifies other skills or system agent settings.
Assessment
This package is coherent with its stated purpose, but take these precautions before installing/running: (1) Run it in a dedicated environment (virtualenv or isolated VM). (2) Ensure required native binaries are installed (soffice/LibreOffice, pdftoppm, tesseract) and set appropriate timeouts. (3) Provide only evidence directories you intend to process — the tool will copy/link many files into its working dirs and create output artifacts. (4) If you run the web UI, verify it binds to 127.0.0.1 (local only) or enable WEBUI_REQUIRE_AUTH and set WEBUI_AUTH_TOKEN before exposing to any network. (5) Review LICENSE.md and DISCLAIMER.md and inspect utils/logger.py (audit implementation) if you need to confirm that audit/logging is local only. (6) If you have low tolerance for unknown code, consider reviewing the full repo locally or running it on an air‑gapped machine first.

Like a lobster shell, security has layers — review code before you run it.

automationvk979ss8efcrtk6sst3mccv5rrd80gq9qcancellationvk970n7n0v32k1ed9gzv1a2xwn1813gakchina-ipvk970n7n0v32k1ed9gzv1a2xwn1813gakcnipavk970n7n0v32k1ed9gzv1a2xwn1813gakcross-examinationvk979ss8efcrtk6sst3mccv5rrd80gq9qevidencevk979ss8efcrtk6sst3mccv5rrd80gq9qevidence-chainvk970n7n0v32k1ed9gzv1a2xwn1813gakiracvk970n7n0v32k1ed9gzv1a2xwn1813gaklatestvk970n7n0v32k1ed9gzv1a2xwn1813gaklegal-aivk979ss8efcrtk6sst3mccv5rrd80gq9qlegal-analysisvk970n7n0v32k1ed9gzv1a2xwn1813gaknonusevk970n7n0v32k1ed9gzv1a2xwn1813gakrisk-controlvk970n7n0v32k1ed9gzv1a2xwn1813gaksj-iracvk979ss8efcrtk6sst3mccv5rrd80gq9qtrademarkvk970n7n0v32k1ed9gzv1a2xwn1813gak

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments