case.dev
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly a coherent case.dev CLI guide, but it gives the agent broad raw API access while handling sensitive legal documents and credentials.
Install only if you trust case.dev and the CLI source. Prefer the package-manager install over curl-piping a script, protect your API key, verify every file or directory before uploading, and require explicit approval before the agent uses raw API calls or performs account-changing actions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used too broadly or after a mistaken instruction, the agent could retrieve or mutate case.dev account data beyond the specific OCR, vault, transcription, or search task the user intended.
The skill gives the agent an escape-hatch interface for arbitrary case.dev API operations, including POST requests with custom bodies, rather than limiting it to safer scoped workflows.
Browse and call any case.dev API endpoint by operationId ... casedev call createVault --body '{"name":"test"}' --json ... casedev api POST /vault --body '{"name":"new-vault"}' --jsonUse the typed casedev commands when possible. Require explicit user approval before raw API calls or any non-read operation, and document which endpoints are allowed for agent use.
Installing this way requires trusting the remote repository and the current contents of the install script.
The skill documents a remote shell-script installer from GitHub. This is a common CLI installation pattern, but it executes remote code and is not pinned to a specific version in the artifact.
curl -fsSL https://raw.githubusercontent.com/CaseMark/homebrew-casedev/main/install.sh | sh
Prefer the Homebrew install path or inspect and verify the script before running it. Pin versions or checksums where possible.
The API key may grant access to legal vaults and account operations if exposed or misused.
The skill requires case.dev authentication and can store an API key locally, although the registry metadata lists no required credentials or environment variables.
export CASE_API_KEY=sk_case_YOUR_KEY ... casedev auth set-key --api-key sk_case_YOUR_KEY ... Config is stored at ~/.config/case/config.json.
Use a least-privilege key if available, avoid pasting real keys into chat, protect the local config file, and revoke keys that may have been exposed.
Sensitive or privileged legal materials could be persistently stored and indexed in the external service if the user uploads the wrong files or directory.
The vault workflow uploads local legal files or directories to case.dev, where they are ingested, OCRed, chunked, and made available for semantic search.
Encrypted document storage with automatic OCR, chunking, and semantic search ... casedev vault upload ./case-files/ --vault VAULT_ID --json
Upload only clearly intended files, verify directories before recursive upload, understand case.dev retention and access controls, and use options such as no-ingest where indexing is not desired.