Skillv1.0.1

ClawScan security

LegalAid · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 16, 2026, 4:49 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements, instructions, and included knowledge files are coherent with a legal-aid assistant: it is instruction-only, requests no credentials, and its behavior aligns with the stated purpose.
Guidance: This skill appears coherent with its stated legal‑aid purpose and does not request credentials or install code. Before installing, consider: (1) privacy: the assistant will ask for sensitive personal details and evidence (IDs, medical info, photos, chat logs). Only share the minimum necessary and avoid posting full ID numbers or financial account data in chat. (2) Platform logging: your host/platform may log conversations and files used to generate documents — check that platform's privacy policy. (3) Document generation: the skill references external document‑generation skills (docx/xlsx/pdf) — verify those are trusted in your environment. (4) Not a substitute for a lawyer: the README/disclaimer says this is reference material; for high‑stakes or criminal matters, consult a licensed attorney. If you need greater assurance, ask the maintainer for provenance of the knowledge sources or prefer using the SKILL.md only as a prompt template without uploading sensitive documents.

Review Dimensions

Purpose & Capability: okName/description (full‑process legal/rights assistance) matches the actual contents: a comprehensive SKILL.md and a set of topical knowledge files covering the claimed 13+ areas. There are no unexpected environment variables, binaries, or external credentials required that would be disproportionate to a legal-advice assistant.
Instruction Scope: noteSKILL.md instructs the agent to (1) run a 9‑step guided workflow, (2) prompt users for case details and evidence, (3) read local knowledge files in knowledge/* via a 'Read' tool, (4) generate document templates (docx/xlsx/pdf) and (5) perform network searches for missing laws/precedents. All of these are consistent with a legal aid skill. Note: it will ask for and rely on sensitive personal information (dates, locations, identities, medical details, photos, chat logs) as part of evidence collection — this is expected for legal assistance but is sensitive data that users should avoid oversharing and platforms may log.
Install Mechanism: okInstruction-only skill with no install spec and no code execution artifacts. No downloads, no archive extraction, and no third‑party package installs are declared. This minimizes write-to-disk and arbitrary-code risk.
Credentials: okThe skill declares no required environment variables, no credentials, and no config paths. It references other platform skills (docx/xlsx/pdf) for document generation, which is reasonable. There are no requests for unrelated secrets or elevated access.
Persistence & Privilege: okalways:false and no install-time changes are declared. The skill does not request permanent system-wide privileges or modify other skills' configurations. Autonomous invocation is allowed (platform default) but does not combine with other red flags.