ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI Government Legal Services Global Standard v2.0

v2.0.0

AI Government Legal Services Global Standard v2.0 - Enhanced with DeerFlow 2.0 framework, provides complete intelligent collaboration framework for governmen...

0· 58·0 current·0 all-time
by张律师@sealawyer2026
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name and description promise a full runtime platform (DeerFlow 2.0 integration, Docker sandbox, long-running tasks, multi-model orchestration, CLI tools). However the published bundle contains only Markdown documents and no install spec, no code files, and no declared runtime dependencies. The README and SKILL.md include examples that reference a Python script (gov_law_search.py) and runtime components that are not included. That mismatch is disproportionate: a functioning integration of the described complexity would reasonably require binaries, install steps, or environment/credential declarations.
!
Instruction Scope
SKILL.md and the included docs describe operational behaviors (e.g., daily website checks, concurrent workers, pushing results to departments, running python3 gov_law_search.py) but do not provide concrete runnable artifacts. The documentation is high-level and could prompt an agent to search for or execute external code. Additionally, a pre-scan flagged 'unicode-control-chars' in SKILL.md indicates possible prompt-injection attempts embedded in the text, which raises concern about manipulation of the evaluation/runtime behavior.
Install Mechanism
There is no install specification (instruction-only). That is the lowest-risk install model. However, because the docs advertise runtime features, the absence of any install mechanism is the very incoherence flagged above—not an installation risk by itself.
Credentials
The skill declares no required environment variables, credentials, or config paths. This is safe from an immediate-credential-exfiltration perspective, but inconsistent with the described multi-model and gov-cloud integrations (which in reality would require API keys, cloud credentials, or on-prem deployment steps). The absence of any credential requirements suggests the bundle is purely documentation or is missing critical implementation pieces.
Persistence & Privilege
The skill does not request 'always:true' and does not declare any persistence or system-wide config modifications. Autonomous invocation is permitted (the default) but there are no declared behaviors that would grant elevated persistence or privileges.
Scan Findings in Context
[unicode-control-chars] unexpected: Control/unicode-injection patterns were detected in SKILL.md. This is not expected for a benign documentation-only skill and could indicate an attempt to embed hidden instructions or manipulate evaluations. It should be inspected manually; presence does not prove maliciousness but is suspicious.
What to consider before installing
This package appears to be marketing/documentation for a complex government AI platform, not an implementation you can run. Before installing or enabling it: 1) Don’t provide any credentials — the package does not request any but the described integrations would normally require them. 2) Ask the publisher for the actual install artifacts or source code (binaries, scripts, Docker images, or an install spec). 3) Verify the GitHub and website links independently; the docs reference scripts (e.g., gov_law_search.py) that are not included. 4) Inspect SKILL.md for hidden/control characters and avoid running unknown scripts or commands. If you expected a runnable skill (sandboxed runtime, model switching, CLI tools), treat this as mispackaged and request a corrected package before use.

Like a lobster shell, security has layers — review code before you run it.

ai-government-legalvk97cak0p4wpfejxc3nzjvmm7g983x0n5deerflow2vk97cak0p4wpfejxc3nzjvmm7g983x0n5government-legalvk97cak0p4wpfejxc3nzjvmm7g983x0n5government-servicesvk97cak0p4wpfejxc3nzjvmm7g983x0n5latestvk97cak0p4wpfejxc3nzjvmm7g983x0n5legal-servicesvk97cak0p4wpfejxc3nzjvmm7g983x0n5public-sectorvk97cak0p4wpfejxc3nzjvmm7g983x0n5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments