ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

legal-cn-api

v1.0.0

提供结构化中国法律条文检索API,按次付费,数据自动更新,支持实时查询最新法律法规内容。

0· 91·0 current·0 all-time
byFelix Feng@fengfelix

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for fengfelix/legal-cn-api.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "legal-cn-api" (fengfelix/legal-cn-api) from ClawHub.
Skill page: https://clawhub.ai/fengfelix/legal-cn-api
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install legal-cn-api

ClawHub CLI

Package manager switcher

npx clawhub@latest install legal-cn-api
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description (legal-cn-api search + x402 micropayments) aligns with the included code (FastAPI + Meilisearch + x402). However the skill declares no required environment variables or primary credential while the code expects a config.py with Meilisearch host/key, x402 wallet address and private key, price, and other settings. The project also ships moltbook-credentials.json (contains an API key / verification code) which is unrelated to the stated purpose and is a sensitive artifact. The mismatch between declared requirements and actual code/config is a coherence problem.
!
Instruction Scope
SKILL.md instructs cloning repos, running update_database.sh (which clones/imports external law datasets), installing requirements, launching Meilisearch, and editing config.py to insert a wallet private key. Asking the user to paste a private key into config.py is outside 'simple' search setup risk profile and should be explicit in the metadata. The SKILL.md also claims payments go 'to developer wallet' and shows developer contact — that could mislead users about who receives funds if defaults or example config point to the developer. The pre-scan also flagged unicode-control-chars in SKILL.md (prompt-injection pattern).
Install Mechanism
There is no automated arbitrary binary download; installation is standard: pip install -r requirements.txt and docker-compose up for Meilisearch. The code clones/uses third-party GitHub repos and optionally ModelScope via its Python API (snapshot_download) — those are known sources, but they pull external data at runtime. No use of opaque personal servers or URL shorteners for installs was observed.
!
Credentials
The runtime needs secrets (Meilisearch master key, optional x402 wallet private key/address) but the skill package declares no required env vars. In addition, a file moltbook-credentials.json containing an API key and verification/claim URLs is included in the repo — an exposed secret unrelated to Meilisearch or x402. This combination (undeclared secrets + shipped secret file) is disproportionate and risky.
Persistence & Privilege
The skill is not marked always:true and does not request elevated platform privileges. It does not modify other skills or system-wide settings. Autonomous invocation (disable-model-invocation:false) is the platform default and is not by itself flagged here.
Scan Findings in Context
[unicode-control-chars] unexpected: A prompt-injection pattern detector found unicode control characters in SKILL.md. This may be a false positive (we didn't see obvious malicious invisible characters in the visible content), but it should be inspected; the SKILL.md also contains persuasive language about payments and developer wallet which could be used to influence evaluation or install instructions.
What to consider before installing
Key points before installing or running this skill: - Secrets and config: The code expects a config.py containing MEILISEARCH_HOST, MEILISEARCH_MASTER_KEY and (optionally) X402_WALLET_PRIVATE_KEY/X402_WALLET_ADDRESS. The package metadata does not declare these env vars — treat this as a manual configuration step. Do NOT paste any private key you care about into config.py without reviewing the code. - Exposed secret file: The repo includes moltbook-credentials.json with an API key and other identifying fields. That file appears unrelated to the core service and may be a leaked credential. Remove or rotate any keys found in the repo before using, and do not publish that file. - Payment recipient: SKILL.md and main.py are written to accept payments to whatever private key/address is configured. If you run this service, ensure the configured wallet is yours; if you use the included example or developer-supplied values, payments may go to the developer. Verify config.py.example and never use third-party private keys. - Network actions: update_database.sh and utility scripts clone GitHub repos and the code can call ModelScope snapshot_download — these operations fetch external content. Run the import/update steps in an isolated environment and audit the imported data before indexing. - Audit and harden before production: Remove sensitive artifacts (moltbook-credentials.json), declare required env vars in your deployment, avoid storing private keys in plaintext (use environment variables or a secrets manager), and validate config.py.example contents. Consider running the service in a sandbox/VM and monitoring outbound network traffic the first time you run it. - If you need a short checklist: inspect config.py.example, delete/rotate any credentials in the repo, run imports in isolation, set Meilisearch master key to a strong value, and only configure your own wallet private key if you understand the payment flow and trust the code. Because of undeclared credential requirements and an included secret file, this skill is internally inconsistent and could lead to accidental key leakage or misdirected payments — proceed only after the fixes and audits above.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fy417v1eggcqwf1p2tdjn7183nss6
91downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
Felix Feng@fengfelix
latest
Download

legal-cn-api - 中国法律条文检索付费 API

给 AI Agents 提供准确、结构化、可直接调用的中国法律条文检索,按次付费,不需要自己建库。

🎯 解决什么问题

AI Agents 在处理涉及中国法律的问题时,经常需要查阅最新的法律法规。自己搭建法律数据库成本高、维护麻烦,使用本服务可以:

  • 即拿即用:直接调用 API 获取结构化法律条文
  • 按次付费:用多少付多少,成本极低(每次搜索约 0.000007 人民币)
  • 去中心化:付费直接到开发者钱包,没有中间商抽成
  • 自动更新:每季度同步最新法律法规

📊 数据规模

  • 2,416 部现行有效法律
  • 81,529 条具体条文
  • 更新到 2026 年 7 月
  • 分类完善:民法、刑法、行政法、经济法、社会法、诉讼法等

💰 付费模式

基于 x402 协议(USDC on Base)实现微支付,三层定价:

  • 获取分类信息:✅ 免费
  • 单次查询0.001 USDC0.007 人民币
  • 包月套餐:即将推出(优惠价)

为什么这么定价:

  • 极低试用门槛,任何人都敢尝试
  • 价格覆盖微支付链上成本,可持续运营
  • 就算一天搜索 1000 次,也才 7 毛钱,用户完全不心疼
  • 去中心化:付费直接到开发者钱包,不需要托管
  • 自动验证:协议自动验证支付,无需人工干预

🚀 快速部署

1. 克隆项目

git clone https://github.com/fengsu82/legal-cn-api
cd legal-cn-api

2. 安装依赖

pip install -r requirements.txt

3. 启动 Meilisearch

docker-compose up -d

4. 导入数据

数据来自公开项目 pengxiao1997/china_law,自动导入。

bash update_database.sh

5. 配置支付

cp config.py.example config.py
# 编辑 config.py,填入你的钱包地址和私钥

6. 启动服务

uvicorn main:app --host 0.0.0.0 --port 8000

📚 API 使用

GET /api/v1/search

参数:

  • q: 搜索关键词
  • limit: 返回数量(默认 10,最大 50)

返回示例:

{
  "success": true,
  "results": [
    {
      "law_title": "中华人民共和国民法典",
      "article_no": "第五条",
      "article_title": "自愿原则",
      "content": "民事主体从事民事活动,应当遵循自愿原则,按照自己的意思设立、变更、终止民事法律关系。",
      "effective_date": "2021-01-01",
      "category": "民法",
      "score": 0.98
    }
  ],
  "total": 12
}

GET /categories

免费接口,获取所有法律分类及条文数量。

GET /health

健康检查。

🛠 技术栈

  • FastAPI - 高性能 Web 框架
  • Meilisearch - 全文搜索引擎,毫秒级响应
  • x402 - 去中心化微支付协议
  • USDC on Base - 稳定币支付网络

📄 许可证

MIT License —— 可以自由使用、修改、分发。

👨‍💼 作者

Felix Feng fengsu82@qq.com

  • 广东广和律师事务所 执业律师
  • 关键词教育 国际部 CEO

Comments

Loading comments...