ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI Legal Team Collaboration Global Standard v2.0

v2.0.0

AI Legal Team Collaboration Global Standard v2.0 - Enhanced with DeerFlow 2.0 framework, provides complete intelligent collaboration framework for corporate...

0· 43·0 current·0 all-time
by张律师@sealawyer2026
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill is an instruction/documentation bundle describing deploying DeerFlow 2.0 and multi-model orchestration, which aligns with the name and description. However, it advertises runnable components (Docker sandbox, Python scripts, pnpm install, long-running tasks) while shipping only docs — there is no code in the bundle, so the declared capability is purely descriptive rather than implementable from the package alone.
!
Instruction Scope
SKILL.md and README contain concrete runtime commands (git clone, pnpm install, python enterprise_compliance_check.py) and examples that imply reading and uploading enterprise documents (e.g., upload_template("采购合同模板.pdf")). The README also instructs setting DEEPSEEK_API_KEY in .env. Those runtime actions could cause agents to access local files or external APIs, but the skill does not declare or request corresponding env vars or files — a scope mismatch that could lead an agent to ask for or attempt to use secrets/files without clear provenance.
Install Mechanism
No install spec or executable code is included in the skill bundle — it is instruction-only, so nothing in this package will be written to disk or executed automatically by an installer. That lowers immediate install risk.
!
Credentials
The documentation references external services and an environment variable (DEEPSEEK_API_KEY) and suggests configuring API keys for model providers, but the skill declares no required env vars or primary credentials. This omission is an inconsistency: the instructions expect secrets to be set for full functionality, but the skill does not request or document them as required, so users may later be prompted to provide keys or set up external accounts.
Persistence & Privilege
The skill does not request always:true, has no install script, and does not attempt to modify other skills or agent-wide settings. It is user-invocable and can be called autonomously per platform defaults, which is normal.
What to consider before installing
This package is documentation only — it does not contain runnable code, but it tells you how to deploy external software (clone bytedance/deer-flow, run pnpm, set DEEPSEEK_API_KEY, run python scripts). Before using: (1) do not paste secrets or upload sensitive contracts without first inspecting the actual code/repos it points to; (2) verify the referenced GitHub repos (bytedance/deer-flow and sealawyer2026) and review their code and license yourself; (3) be cautious when an agent asks to set API keys or read local PDFs — give only least-privilege credentials and avoid sharing org secrets until you’ve audited the downstream software; (4) if you expect to run the system, test in an isolated environment (VM or container) and review .env and startup scripts for network calls and data exfiltration points.

Like a lobster shell, security has layers — review code before you run it.

ai-legal-teamvk973128ppvd4m8trkjftttwad983xrfscompliancevk973128ppvd4m8trkjftttwad983xrfsdeerflow2vk973128ppvd4m8trkjftttwad983xrfsenterprise-legalvk973128ppvd4m8trkjftttwad983xrfsin-house-counselvk973128ppvd4m8trkjftttwad983xrfslatestvk973128ppvd4m8trkjftttwad983xrfslegal-teamvk973128ppvd4m8trkjftttwad983xrfs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments