Skillv1.0.2

ClawScan security

LegalBot法律助手 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 20, 2026, 1:29 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and instructions match its stated purpose (legal Q&A, contract scanning, cost estimates, templates); no requested credentials or installs and no obvious network/exfiltration behavior — but there are a few minor coherence/quality issues to review before use.
Guidance: This skill appears coherent for a legal helper: it bundles local rule/data files and document templates and does not request credentials or install software. Before installing or using it, note the following: (1) SKILL.md references data/law_index.json which is missing from the manifest — ask the publisher for that file or confirm the skill will operate correctly without it. (2) Several templates include realistic-looking sample PII (names, ID numbers, phone numbers, a bank account number). Treat those as placeholders: replace or remove any sample personal or financial data before using/sharing templates. (3) Because the source/homepage is unknown, exercise normal caution — do not paste sensitive client documents or secrets into the skill until you verify provenance. (4) Remember the tool is for reference only (the skill includes disclaimers); for high‑risk matters rely on a qualified lawyer. Providing the missing law_index.json or publisher provenance would increase confidence further.

Purpose & Capability: okName/description (legal assistant: contract scan, fees, templates, statutes) align with the provided data files and templates. The skill is instruction-only and contains local JSON rule/data files and many document templates which are appropriate for the stated purpose.
Instruction Scope: noteSKILL.md is descriptive and stays within the skill's domain (uses local data files for rules/templates). One inconsistency: SKILL.md references data/law_index.json (200+ core statutes) but that file is not present in the file manifest — the skill may rely on a missing data source. Also several templates contain hard-coded, realistic-looking personal identifiers and a bank account number as example data; embedding such sample PII is surprising and could lead to accidental disclosure if users reuse templates without replacing placeholders.
Install Mechanism: okInstruction-only skill with no install spec and no code to write to disk. Lowest-risk install posture.
Credentials: okNo required environment variables, no credentials, and no config paths. The skill does not request secrets or system access beyond reading its own bundled data and templates.
Persistence & Privilege: okalways is false and the skill is user-invocable/autonomously callable (platform default). The skill does not request elevated or persistent system privileges.