ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Klaus Processos Br

v0.0.1

Consulta processos judiciais brasileiros (Brasil) via API Pública do DataJud (CNJ)

1· 312·1 current·1 all-time
by@runawaydevil
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (consulta de processos via DataJud) match the code and CLI: the package makes HTTP requests to the DataJud public API, parses CNJ numbers, supports searches and monitoring. No unrelated services, binaries, or credentials are requested.
Instruction Scope
SKILL.md and the CLI explicitly tell the agent to run the bundled Python CLI and to optionally set DATAJUD_API_KEY. The runtime instructions do not ask the agent to read unrelated system files or credentials. Note: the CLI's dry-run prints headers (including the API key) which will reveal the configured API key to console output.
Install Mechanism
Instruction-only skill with local Python code (no install spec). No external downloads or installers; code uses only the Python standard library. This is a low-risk installation model.
Credentials
No required environment variables are declared. The code provides and uses a DEFAULT_API_KEY (hardcoded) and accepts an optional DATAJUD_API_KEY env var. Requesting an API key for the DataJud public API is proportionate, but embedding a default key in the repo may have implications (quota, privacy) and should be considered.
Persistence & Privilege
The skill writes a small state file (state/monitor.json) inside the skill folder to store monitored process numbers and hashes. This is expected for a monitoring feature but means monitored CNJ numbers are persisted locally and updated by the skill.
Assessment
This skill appears to do what it says: query the CNJ/DataJud public API and optionally monitor cases. Before installing, consider: (1) the repository contains a hardcoded DEFAULT_API_KEY — if you care about quotas or provenance, replace it with your own DATAJUD_API_KEY via environment variable; (2) the skill will create and update state/monitor.json in the skill folder to store monitored CNJ numbers and simple hashes — don't install if you don't want those case identifiers stored locally; (3) the CLI dry-run prints request headers (including the API key) to stdout — avoid running dry-run in contexts where console output is exposed; (4) the skill makes network requests to the official DataJud endpoint (api-publica.datajud.cnj.jus.br) — verify this aligns with your privacy and terms-of-use expectations (README notes non-commercial use). Overall the package is internally consistent with its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk972mezsv8rm6vs4pxmmpzdeg1827c2k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments