ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

九章专利法律专家V1.1.0

v1.1.0

九章专利法律专家V1.1.0(DeepSeek R2 + 2000+案例 + 自我进化)

0· 145·0 current·0 all-time
by张律师@sealawyer2026
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description claim a patent-law assistant; requiring a DEEPSEEK_API_KEY is plausible if it calls an external DeepSeek service. However the skill has no homepage or publisher info and declares capabilities (file_read, data-collection, evolution) that are not explained in the description, making the purpose vs. claimed capabilities unclear.
!
Instruction Scope
SKILL.md is minimal and contains no explicit runtime steps, but its embedded metadata enables 'file_read' and an 'evolution' feature with 'data_collection' and 'feedback_loop'. There are no boundaries described for what is read or sent, so the instructions implicitly permit reading user files/context and sending data to an external service — scope creep from a user-facing legal assistant.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so there is no download/install risk from the skill bundle itself.
!
Credentials
Only one env var (DEEPSEEK_API_KEY) is required, which is reasonable if the skill integrates with DeepSeek. But the metadata's data_collection and feedback_loop settings make that single API key potentially powerful (it may allow sending user-provided content to the external service). The skill does not justify what data is sent or retention/usage of that data.
Persistence & Privilege
always is false and there is no install-time persistence requested by the package. However 'evolution' metadata implies ongoing data collection/feedback, so while the skill itself is not force-installed, it may attempt repeated outbound interactions if invoked.
What to consider before installing
This skill claims to be a patent-law assistant but its metadata enables file reading and automatic 'data collection' and 'feedback loops' with an external service (DeepSeek) without describing what gets collected or how it is used. Before installing or providing DEEPSEEK_API_KEY, ask the publisher for: (1) a privacy/security policy describing exactly what data is collected, where it is sent, retention and deletion policies, and whether user content is used for model training; (2) which files/paths the skill will read and opt-out controls; (3) what permissions the API key must have and whether a scoped/restricted key can be used; (4) an audit/logging contact or enterprise agreement if you will process sensitive documents. Because the source and homepage are unknown, do not provide any sensitive or privileged documents or long-lived credentials until these questions are satisfactorily answered. If you must test it, use a restricted/test API key and non-sensitive sample data.

Like a lobster shell, security has layers — review code before you run it.

latestvk974j3v3xmz0c7h0aq1hfz0tfs83eq48

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvDEEPSEEK_API_KEY

Comments