ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

corporate lawyer

v1.0.0

AI-powered legal assistant for commercial transactions - provides contract review, transaction advisory, compliance checking, document generation, risk asses...

0· 209·0 current·0 all-time
byJustin Liu@zhenstaff
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (corporate legal assistant) matches the requested minimal runtime requirement (python3). However, the SKILL.md and README claim a large Python package (23 files, 3,340 LOC, pydantic models, etc.) and provide import/use examples while the registry bundle contains no code files — only SKILL.md and README. That mismatch is unexplained and noteworthy.
Instruction Scope
The runtime instructions focus on collecting contract/transaction details from the user and producing analysis/templates. They do not instruct the agent to read unrelated system files, credentials, or send data to external endpoints beyond recommending installing the package — no obvious scope creep in the instructions themselves.
!
Install Mechanism
The registry bundle has no install spec, but SKILL.md/README advise 'pip install openclaw-skill-corporate-lawyer', 'git clone <repo> && pip install -e .', and metadata contains 'pip install -e .'. Because no package files are included in the skill bundle, using the skill as intended would require downloading and installing code from PyPI or GitHub. Pulling and executing external packages is a higher-risk operation and the documentation's conflicting signals (claim of local editable install vs. expecting an external package) are inconsistent.
Credentials
The skill requests no environment variables, no credentials, and only requires python3. This is proportionate for an assistant that would run locally in Python. There are no hidden credential requests in SKILL.md or README.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It does not request system-wide persistence or modify other skills. No elevated persistence privileges are declared.
What to consider before installing
This skill appears to be an instruction-only wrapper that expects you to install a separate Python package. Before installing or running anything: 1) Verify the upstream GitHub repository (https://github.com/ZhenRobotics/openclaw-corporate-lawyer) and inspect its source, setup.py/pyproject.toml, and license to ensure the code matches the claims. 2) Prefer installing in an isolated virtualenv or container and review the package contents before execution (e.g., pip download and inspect). 3) Be cautious about sending confidential contract text to third-party services or code you haven't reviewed. 4) If you expect the skill to run without external installs, note the bundle lacks the advertised Python modules — ask the publisher for a complete package or an explicit install artifact. These inconsistencies are not proof of malice, but they increase risk and merit manual review prior to installation.

Like a lobster shell, security has layers — review code before you run it.

latestvk972nqs58rat8wxeeg6ybxv9jd8303t4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

⚖️ Clawdis
OSmacOS · Linux · Windows
Binspython3

Comments