Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Compliance & Legal Pack: 4-Guide Collection for Agent Governance and Regulatory Compliance
v1.3.1Navigate the regulatory landscape for autonomous AI agents. Covers EU AI Act compliance, contract lifecycle management, agent insurance and risk pools, and t...
⭐ 0· 96·0 current·0 all-time
by@mirni
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose is delivery of four written guides. A content-only bundle should not need an AGENT_SIGNING_KEY, WALLET_ADDRESS, or a STRIPE_API_KEY. GREENHELIX_API_KEY as the primary credential could make sense if the bundle were fetched from a content API, but the additional credentials are disproportionate and not explained.
Instruction Scope
The SKILL.md contains no runtime commands or steps that use any environment variables. It lists the credentials in metadata but does not describe how or when they will be used, which is scope creep: asking for secrets without any operational justification.
Install Mechanism
There is no install spec and no code files (instruction-only). That lowers the risk of arbitrary code being written to disk or executed, but it does not excuse requesting unrelated secrets in metadata.
Credentials
Requires four environment values including AGENT_SIGNING_KEY (likely a private key) and WALLET_ADDRESS plus STRIPE_API_KEY. These are high-risk secrets for a guide bundle. The number and sensitivity of requested env vars is not proportional to delivering documents.
Persistence & Privilege
The skill is not marked 'always: true' and is user-invocable; it does not request to modify other skills or system-wide settings. Autonomous invocation is allowed (default) but there is no code to run autonomously in the package itself.
Scan Findings in Context
[regex-scan-empty] expected: The static scanner found no code to analyze (instruction-only SKILL.md). An empty scan is expected for a documentation-only bundle, but that also means there is no runtime evidence explaining why secrets are required.
What to consider before installing
Do not provide sensitive keys (private signing keys, wallet private keys, or secret Stripe keys) to this skill. Ask the publisher to explain exactly why each credential is needed and to provide a minimal, documented integration flow. Acceptable alternatives: (1) a public content URL or downloadable files (PDF/HTML) requiring no secrets, (2) a read-only API key scoped to fetching this specific bundle, or (3) a standard commerce checkout page (do not share your Stripe secret—if a Stripe key is needed it should be the publishable key or handled off-skill). If the publisher cannot justify each secret or produce a privacy/security policy and provenance for the content, do not install or supply credentials. If you must proceed for testing, use throwaway sandbox credentials with least privilege only.Like a lobster shell, security has layers — review code before you run it.
ai-agentvk97cben4esyty30wmtp3258jb184wxdmbundlevk97cben4esyty30wmtp3258jb184wxdmcompliancevk97cben4esyty30wmtp3258jb184wxdmcontractsvk97cben4esyty30wmtp3258jb184wxdmeu-ai-actvk97cben4esyty30wmtp3258jb184wxdmgreenhelixvk97cben4esyty30wmtp3258jb184wxdmguidevk97cben4esyty30wmtp3258jb184wxdminsurancevk97cben4esyty30wmtp3258jb184wxdmlatestvk97cben4esyty30wmtp3258jb184wxdmopenclawvk97cben4esyty30wmtp3258jb184wxdmtaxvk97cben4esyty30wmtp3258jb184wxdm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
EnvGREENHELIX_API_KEY, AGENT_SIGNING_KEY, WALLET_ADDRESS, STRIPE_API_KEY
Primary envGREENHELIX_API_KEY