Automate extraction, analysis, summarization, legal research, and deadline tracking of contracts and legal documents for law firms and professionals.
Security Analysis
medium confidenceThe skill's code and instructions mostly match a legal-document automation tool, but there are material inconsistencies (claimed 'no storage' vs. local DB writes, and registry metadata omitting required credentials) that should be clarified before installing in a sensitive environment.
Name, README, SKILL.md, clawdhub.json and the included scripts (clause_extractor, document_summarizer, legal_research, deadline_tracker) are coherent with a legal document automation / research / deadline-tracking tool. Declared permissions (file_read, file_write, network_http) and required Python deps align with the stated capabilities.
SKILL.md claims 'No document storage' and that documents are processed in-memory, but the included deadline_tracker implements a persistent SQLite DB (~/.legaldoc/deadlines.db) and the config references local storage paths. SKILL.md also instructs use of webhooks, API keys (LEGALDOC_API_KEY, optional Westlaw/Lexis/CourtListener/CLIO), and alerting (email/Slack/SMS) which implies network transmission of metadata or document extracts. The skill's instructions and templates include sensitive endpoints (Slack webhook) and encourage configuring API keys — expected for integrated research/notification features, but contradict the 'no storage' and 'processed in-memory' claim.
There is no install spec (instruction-only from platform POV), but the bundle includes code and a requirements.txt listing Python libraries (pypdf, python-docx, etc.). The code falls back to calling system tools like pdftotext via subprocess if libraries are missing — this requires an external binary and could fail or prompt installs. No remote downloads or obscure URLs were found in the provided files.
SKILL.md and clawdhub.json declare LEGALDOC_API_KEY as required (plus optional research provider keys and CLIO API key). However, the top-level registry summary provided with the evaluation lists 'Required env vars: none' and 'Primary credential: none' — that's inconsistent. The number and type of env vars requested are plausible for the advertised integrations, but the mismatch in metadata is a red flag. The skill also uses environment/config to determine storage location (LEGALDOC_DEADLINES_DB / LEGALDOC_STORAGE_PATH), which grants local file-write access.
The skill does not set always:true and does not request elevated platform privileges, but it persists data locally (SQLite DB in ~/.legaldoc by default) and requires file_write permission. Autonomous invocation is allowed (platform default). Combine persistence with network_http permission — the skill can store deadlines locally and also transmit data to configured integration endpoints (research APIs, Slack, email).
Guidance
This package is broadly consistent with a legal-document tool, but there are important inconsistencies and privacy questions to resolve before installation: - Storage vs. privacy: SKILL.md/README claim documents are "processed in-memory" and "never stored on external servers," yet the included deadline_tracker writes a local SQLite DB (~/.legaldoc/deadlines.db) and config supports local storage paths. Expect local persistence of extracted metadata; clarify whether any documents or extracts are ever sent to the skill vendor's servers and where LEGALDOC_API_KEY is used. - Environment variables & metadata mismatch: The registry snapshot you were given claims no required env vars, but SKILL.md and clawdhub.json require LEGALDOC_API_KEY (and optionally CLIO/WESTLAW/LEXIS/COURTLISTENER). Treat LEGALDOC_API_KEY as sensitive — ask the author what that key grants access to and whether it is necessary for offline/local usage. - Network behavior: The skill includes legal_research integration and lists network integrations (CourtListener, Westlaw, LexisNexis, Slack, email, SMS). Inspect execution/legal_research.py and execution/legaldoc.py for exact endpoints and ensure only intended APIs are contacted. If you need strong data control, run the skill in an isolated environment or block outbound network access and test local-only features first. - Dependencies & binaries: The code may call external binaries (pdftotext) if Python libraries are missing. Ensure required Python packages are installed from trusted sources and install any system PDF tools from your OS package manager rather than running arbitrary install scripts. - Compliance claims: The README/manifest assert SOC2/HIPAA/GDPR/compliance. Those are marketing claims unless you can verify with attestation or an enterprise on-premise deployment contract. Ask the vendor for evidence (SOC2 report, data processing agreement, where data is processed and stored). - Hardening recommendations: (1) Review legal_research.py and legaldoc.py for exact network endpoints and logging; (2) configure a dedicated service account/API key with minimal privileges; (3) set LEGALDOC_DEADLINES_DB to a location you control and inspect stored data; (4) if handling privileged client data, prefer an on-premise deployment or sandbox network to prevent unintended exfiltration; (5) request clarification from the author about the storage/processing discrepancy. If you want, I can scan the remaining truncated files (execution/legaldoc.py and legal_research.py) for outbound endpoints, secrets handling, and any other surprises — that will reduce uncertainty and may change the confidence level.
Latest Release
v1.0.0
LegalDoc AI 1.0.0 – Initial Release - Introduces contract clause extraction supporting 12 common clause types - Adds document summarization for contracts, cases, and regulatory filings - Integrates AI-powered legal research (case law, statutes, regulation) - Includes automated deadline tracking and alerts for legal matters
Popular Skills
Published by @manas-io-ai on ClawHub
