Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Global Compliance
v1.0.1AI-powered global compliance checker, document generator, and risk assessor for GDPR, CCPA, SOC2, ISO27001, HIPAA and more
⭐ 0· 274·1 current·1 all-time
byJustin Liu@zhenstaff
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md describes a compliance assistant and its CLI usage (compliance check/generate/assess), which is coherent with the skill name. However, two other included files (SKILL-EN.md and SKILL-ZH.md) are for a completely different 'video-generator' skill. Having unrelated skill documents bundled with a compliance skill is incoherent and suggests mispackaging or intentional mixing of functionality.
Instruction Scope
Runtime instructions ask the agent to request user files, run a local CLI (compliance check/generate/assess/query), and summarize or save outputs. Those instructions stay within the compliance domain and do not request unrelated system files or secrets. However the skill also defines AUTO-TRIGGER keywords (broad) which could cause frequent invocation; and it instructs users/agents to install/run an external CLI not provided by the registry (see install_mechanism).
Install Mechanism
The skill is instruction-only (no install spec), but SKILL.md tells users/agents to run 'npm install -g openclaw-global-compliance' and use a 'compliance' CLI. Installing an unvetted global npm package has risk: the package source, integrity, and behavior are unknown. Additionally, the repo includes unrelated files referencing a different project, increasing suspicion that the install instructions could direct you to other code or commands.
Credentials
The skill declares no required environment variables, credentials, or config paths. The instructions do not ask for secrets beyond normal document inputs and company info. There is no direct request for unrelated credentials or system configuration.
Persistence & Privilege
Skill flags are default (always: false, agent-invocable allowed). It does not request permanent/privileged presence or to modify other skills. Autonomous invocation is normal and not, by itself, a problem here.
What to consider before installing
Do not install or run the suggested npm package until you verify its provenance. Specific concerns: (1) This skill bundle contains unrelated SKILL-EN.md/SKILL-ZH.md files for a video-generator skill — likely a packaging error or intentional mixing. (2) The runtime instructions advise installing a global npm CLI (openclaw-global-compliance) that is not part of this registry entry, which could run arbitrary code. Suggested steps before proceeding: 1) Verify the package on npm and inspect its author, version history, and repository URL; prefer packages with a clear homepage/repo and reproducible source. 2) Search for 'openclaw-global-compliance' and the owner identity; confirm it matches the registry owner. 3) Inspect the npm package contents in a sandbox (or review its GitHub repo) to see exactly what binaries/scripts it installs. 4) If you need the skill now, run the CLI in an isolated environment (container or VM) and avoid giving it privileged access or secrets. 5) Contact the publisher/maintainer for clarification about the unrelated video-generator files and request a clean release or corrected packaging. If you cannot verify the package/source, do not install it.Like a lobster shell, security has layers — review code before you run it.
latestvk97ejq70317gd1hk3a1g22x3b182ekk8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.