Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
九章著作权法律专家V1.1.0
v1.1.0九章著作权法律专家V1.1.0(DeepSeek R2 + 1500+案例 + 自我进化)
⭐ 0· 187·0 current·0 all-time
by张律师@sealawyer2026
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (copyright legal expert) is consistent with needing an external case/search API such as 'DeepSeek' and the single DEEPSEEK_API_KEY could be legitimate. However the metadata declares capabilities (file_read) and an 'evolution' data collection feature that are not explained by the description; it's unclear why a legal assistant would need broad file_read capability or an autonomous data-collection pipeline without explicit user consent or policy detail.
Instruction Scope
The SKILL.md provides only a brief description and a metadata block; there are no concrete runtime instructions showing what the agent will do with the API key, what files it may read, or how collected data is used/transmitted. The metadata's 'capabilities: ["reasoning","file_read"]' and 'evolution.data_collection: true' imply the skill may access local files and send data externally, but no scope, limits, or destinations are documented — this vagueness grants the agent broad discretion and is a privacy risk.
Install Mechanism
No install spec and no code files are present (instruction-only skill), which minimizes direct supply-chain risk because nothing is downloaded or written during install.
Credentials
Only DEEPSEEK_API_KEY is required, which could be reasonable for a search/case service. However, given the declared data_collection/feedback_loop behaviors, that single key might be used to transmit user-provided or local-file content to an external service. The skill requests a credential that could enable exfiltration with no documented limits or purpose — disproportionate given the lack of detail.
Persistence & Privilege
always:false (good), but the metadata advertises 'evolution' with 'feedback_loop' and 'data_collection', implying ongoing collection of usage or user data. Combined with autonomous invocation (platform default), this increases the blast radius for any unclear data-handling behaviors. The skill does not request system-level persistence, but its declared capabilities could let it read and transmit sensitive legal materials if allowed to run without constraints.
What to consider before installing
Do not supply your DEEPSEEK_API_KEY or any sensitive case/client data until the author clarifies exactly what the skill will do. Ask the publisher: (1) what is 'DeepSeek' (official domain, privacy policy, data retention and access controls); (2) when and which local files will be read and how that access is requested/authorized; (3) what data are collected, whether they are uploaded to external services, and how they are anonymized/stored; (4) how to opt out of any feedback/data-collection loop; and (5) provide concrete runtime instructions or logs showing requests the skill will make. If you must test, run it in a sandbox environment with non-sensitive sample cases and a limited/throwaway API key. If you need stronger assurance, request a version of the skill that explicitly restricts file access and documents all external endpoints and purposes.Like a lobster shell, security has layers — review code before you run it.
latestvk979mghzkznt2zb498m72a6pqs83edcs
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
EnvDEEPSEEK_API_KEY