ClawHub

Legal Gstack

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only legal workflow skill with disclosed local file use and no executable install behavior, but it handles sensitive legal files and should be used carefully.

Install only if you are comfortable with an agent reading and writing the specified local legal folders. Keep confidential case materials in well-scoped directories, review legal outputs before use, and confirm archive or write destinations before allowing file changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill advertises an `archive` command and explicitly points to real case-file directories under the user's home folder, but it does not warn that the action may move, reorganize, or otherwise modify case materials. In a legal workflow, silent file changes can cause loss of evidentiary organization, missed deadlines, or accidental alteration of sensitive records, making the omission security-relevant even if not overtly malicious.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill specifies a concrete local output path under the user's home directory without warning that execution may create or overwrite files. In an agent environment, this can cause unintended modification of local case records, accidental data leakage into predictable locations, or clobbering of existing legal work product if the case name maps to an existing directory.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly declares an output path under the user's Documents directory, which implies local file creation or modification without any notice, confirmation step, or description of side effects. In an agent setting, silent writes to user files can overwrite existing work, leak sensitive case data into an unintended location, or create records the user did not consent to store locally.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal