蒋道理|撤三证据链与风险审核引擎(SJ-IRAC)
PassAudited by ClawScan on May 1, 2026.
Overview
The artifacts describe a coherent local legal-evidence processing tool, but it handles sensitive case files and uses local commands, a local web UI, and unpinned Python dependencies that users should review.
Before installing, verify the source and dependencies, run it in an isolated Python environment, keep the web UI local-only, work on copies of evidence files, protect the output/log folders, and have a human review any generated legal filings before submission.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the tool may pull changing third-party package versions from the Python ecosystem.
The dependency list has no pinned versions or lockfile, so installation may resolve different package versions over time.
pandas openpyxl python-docx pypdf PyMuPDF PyYAML
Install in a virtual environment, verify the source, and consider pinning or reviewing dependency versions before use.
If the web interface is bound to a non-local address or otherwise exposed, another party could potentially trigger file-processing actions.
The web UI's write-auth check is disabled by default, which is acceptable for a localhost-only desktop tool but risky if the service is exposed beyond the user's machine.
WEBUI_AUTH_TOKEN = ""; WEBUI_REQUIRE_AUTH = False; ... if not WEBUI_REQUIRE_AUTH: return True
Keep the web UI bound to 127.0.0.1, do not expose the port on a network, and enable an authentication token if adding remote access.
Malformed or untrusted Office files are processed by local converter software.
The tool invokes a local LibreOffice binary to convert documents, which is purpose-aligned but still executes local software on user-supplied documents.
cmd = [SOFFICE_BIN, "--headless", "--convert-to", "pdf", "--outdir", str(td_path), str(src_docx)]; ... subprocess.run(...)
Use trusted converter binaries, keep them patched, and process copies of evidence files rather than originals.
Output folders may contain sensitive evidence copies, links to original files, or local path information that should not be shared casually.
The tool creates persistent mixed-input directories and may copy or symlink source evidence files into the output area.
mix_root = Path(out_dir).resolve() / "_scan_mix_inputs" / slot ... os.symlink(src, dst, target_is_directory=False) ... shutil.copy2(src, dst)
Treat output, logs, and _scan_mix_inputs folders as confidential; review and remove sensitive copies or symlinks before sharing generated materials.