Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Legal/TOS Diff-er
v1.0.0Fetches Terms of Service documents, stores snapshots, and performs semantic diffing to identify meaningful legal changes across Privacy Risks, Financial Chan...
⭐ 1· 50·0 current·0 all-time
byPeter Lum@liverock
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name and description match the actual behavior: the code fetches web pages, extracts legal text with cheerio, stores timestamped snapshots, and builds prompts for semantic diffing. Declared dependencies (cheerio, node-fetch) are appropriate for the task.
Instruction Scope
SKILL.md exposes commands that map directly to handler.js actions (add/list/fetch/diff/remove). The runtime does exactly what the description says and does not attempt to read unrelated system files. Minor inconsistency: the implementation honors an override environment variable (TOS_DATA_DIR) for storage location, but the skill metadata listed no required env vars and SKILL.md does not document this override.
Install Mechanism
Instruction-only install spec (no installer) and shipped source files: no network install step or arbitrary archive downloads are present. Dependencies are standard npm packages listed in package.json/lockfile.
Credentials
The skill requests no credentials or special config paths. The only environment variable used is an optional storage override (TOS_DATA_DIR), which is reasonable for controlling where snapshots are saved. No secret names or unrelated cloud credentials are requested.
Persistence & Privilege
The skill is not always-enabled and does not modify other skills or global agent settings. It writes snapshot files into its own snapshots directory (by default under the skill directory, or to TOS_DATA_DIR if set), which is normal for this use case — but storing fetched page contents on disk means sensitive data could be persisted if tracked URLs point to internal resources.
Assessment
This skill appears to do what it says: it will fetch whatever URL you tell it, extract text, and write JSON snapshots to a snapshots directory (by default inside the skill folder, or to the path you set via TOS_DATA_DIR). Before installing or running it, consider: (1) network exposure — because it fetches arbitrary URLs, do not run it in an environment that has access to internal services you don't want probed (risk: SSRF/internal resource enumeration); (2) data persistence — snapshots store full extracted text on disk, which may contain sensitive content; set TOS_DATA_DIR to a controlled path or ensure proper disk permissions/rotation; (3) review or sandbox the code locally if you need higher assurance (the code is small and readable); and (4) only add/tracking URLs you trust and monitor snapshot storage for sensitive data.handler.js:21
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97cy0ae6nyyh08a9ez6ym1f4d84srfk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.