ClawHub

Firm Legal Pack

ReviewAudited by ClawScan on May 1, 2026.

Overview

This is an instruction-only legal workflow bundle with no code, but users should review its optional dependency installs and session-orchestration permissions because legal data is sensitive.

This skill appears coherent and instruction-only, with no code or static scan findings. Before installing it in a legal environment, review the companion skills it recommends, apply the secure-mode and audit settings, restrict session methods as suggested, and ensure the workspace is appropriate for sensitive legal documents.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium
#ASI07: Insecure Inter-Agent Communication
What this means

Legal documents or prior session context could be exposed to other agent sessions if the surrounding OpenClaw permissions are broad.

Why it was flagged

The skill declares tools for sending to sessions, spawning sessions, and reading session history. These are coherent with a multi-agent legal orchestration bundle, but session-to-session workflows can move sensitive legal context between agents.

Skill content
tools:
      - sessions_send
      - sessions_spawn
      - sessions_history
Recommendation

Use the recommended pairing, audit, and allowed-method restrictions; install only in workspaces where inter-agent session sharing is intended.

Low
#ASI04: Agentic Supply Chain Vulnerabilities
What this means

Installing the recommended companion skills could add capabilities, code, or permissions not visible in this instruction-only artifact.

Why it was flagged

The skill recommends latest-version installs of multiple companion skills. This is purpose-aligned for a bundle, but those additional packages are outside this artifact and should be reviewed independently.

Skill content
npx clawhub@latest install academic-research
npx clawhub@latest install pdf-documents
npx clawhub@latest install arc-security-audit
npx clawhub@latest install agent-audit-trail
npx clawhub@latest install firm-orchestration
Recommendation

Review each recommended skill’s source, permissions, and install behavior before adding it to a legal or compliance workspace.

Low
#ASI08: Cascading Failures
What this means

A mistaken or overly broad configuration could carry into later legal workflows or other agent sessions.

Why it was flagged

The artifact asks the user to modify a shared OpenClaw configuration file, including default agent workspace settings. This is not hidden and fits the firm-pack purpose, but configuration changes can affect future agent runs.

Skill content
Add to `~/.openclaw/openclaw.json`:

{
  "agent": {
    "model": "anthropic/claude-opus-4-6",
    "workspace": "~/.openclaw/workspace"
  },
  "agents": {
    "defaults": {
      "sandbox": { "mode": "non-main" },
      "workspace": "~/.openclaw/workspace/legal-firm"
    }
  }
}
Recommendation

Back up the OpenClaw configuration first and apply the overlay only to the intended legal workspace or profile.