Skillv1.0.1

ClawScan security

Pre judgment of similar cases wdy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 18, 2026, 7:00 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with its stated purpose (remote legal-law and similar-case lookup using the WenDaoYun API); the main risk is expected privacy exposure from sending user case text to an external API.
Guidance: This skill behaves like a remote legal search: it sends the case text you provide to a third-party API (WenDaoYun). Before installing or using it, consider the following: - Privacy: avoid sending unnecessary personal data (names, ID numbers, exact addresses); anonymize or redact PII where possible. For highly sensitive matters, prefer an offline/local database or counsel. - Trust the provider: verify h5.wintaocloud.com / WenDaoYun's privacy policy, retention rules, and terms; confirm you are comfortable with data leaving your environment. - API key handling: keep WENDAOYUN_API_KEY in environment variables only; never paste it into chat, logs, or code. Rotate the key if you suspect leakage. - Logging and command exposure: the skill uses curl via exec — ensure your runtime does not record full command lines or environment dumps that include sensitive payloads. - Limit usage and test: be mindful of the reported daily quota and test with non-sensitive examples first to confirm formatting and results. - Legal disclaimers: this is an aid, not a substitute for licensed legal advice; confirm jurisdictional applicability of results. If you need the skill to avoid external transmission entirely, request a version that uses a local/legal database instead.

Review Dimensions

Purpose & Capability: okThe skill is a legal-case retrieval helper and explicitly requires a WENDAOYUN_API_KEY and calls endpoints at h5.wintaocloud.com to fetch laws and similar cases. Requesting a single API key for an external legal-search service is proportional and expected for this functionality.
Instruction Scope: noteSKILL.md instructs the agent to POST user-provided case descriptions to the third-party API (get-laws, get-cases) via curl/exec. That behaviour is within the skill's purpose but necessarily sends potentially sensitive PII to an external service; the documentation warns about this. Also note use of exec+curl can expose command-line arguments in process listings or logs if not handled carefully — the skill mitigates some risk by requiring an env var check and forbidding echoing the key, but callers should still avoid including sensitive data in logged commands or transcripts.
Install Mechanism: okThis is instruction-only (no install spec, no code files). Nothing is written to disk or downloaded by the skill itself, which minimizes install-time risk.
Credentials: okOnly one required environment variable (WENDAOYUN_API_KEY) is declared in registry.json and SKILL.md. That single credential is justified by the need to authenticate to the external API. The skill explicitly warns not to print the key.
Persistence & Privilege: okalways is false and the skill is user-invocable with normal autonomous invocation allowed. The skill does not request system-level persistence, nor does it modify other skills or system configuration.