deepread-legal Security Report — Low Risk | ClawSafe

15 /100

deepread-legal

Extract structured data from contracts, legal agreements, court filings, and compliance documents. Pre-built schemas for parties, clauses, dates, obligations. PII redaction for privilege review.

A legitimate legal document extraction skill that sends documents to a declared third-party API. No malicious behavior detected; API key placeholders in docs are benign examples.

Skill Namedeepread-legal

Duration23.5s

Enginepi

✓

Safe to install

Approve for use. Users should be aware that sensitive legal documents are transmitted to an external service (api.deepread.tech) — verify compliance requirements before processing confidential materials.

Findings 2 items

Severity	Finding	Location
Low	API key placeholder examples in documentation Lines 55 and 123 contain example API key formats (sk_live_your_key_here, sk_live_YOUR_KEY) as documentation placeholders. These are not actual secrets. `export DEEPREAD_API_KEY="sk_live_your_key_here"` → Consider using more clearly marked placeholder format like YOUR_API_KEY_HERE or <YOUR_KEY> to avoid confusion with real key formats.	`SKILL.md:55`
Info	External document processing User documents are transmitted to api.deepread.tech for processing. This is the core functionality but may require data handling compliance review for sensitive materials. This skill instructs the agent to POST documents to `https://api.deepread.tech` → Users should verify the service's data retention and compliance posture before processing privileged or confidential documents.	`SKILL.md:14`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	SKILL.md:14 - POSTs documents to api.deepread.tech
Environment	`READ`	`READ`	✓ Aligned	SKILL.md:metadata - requires DEEPREAD_API_KEY env var
Filesystem	`NONE`	`NONE`	—	No file operations beyond reading uploaded documents
Shell	`NONE`	`NONE`	—	No shell execution detected

2 High 10 findings

🔑

High API Key 疑似硬编码凭证

API_KEY="sk_live_your_key_here"

SKILL.md:55

🔑

High API Key 疑似硬编码凭证

API_KEY = "sk_live_YOUR_KEY"

SKILL.md:123

🔗

Medium External URL 外部 URL

https://www.deepread.tech

SKILL.md:5

🔗

Medium External URL 外部 URL

https://api.deepread.tech

SKILL.md:12

🔗

Medium External URL 外部 URL

https://www.deepread.tech/dashboard/?utm_source=clawhub

SKILL.md:50

🔗

Medium External URL 外部 URL

https://api.deepread.tech/v1/process

SKILL.md:201

🔗

Medium External URL 外部 URL

https://www.deepread.tech/dashboard/byok

SKILL.md:273

🔗

Medium External URL 外部 URL

https://www.deepread.tech/dashboard

SKILL.md:287

🔗

Medium External URL 外部 URL

https://www.npmjs.com/package/n8n-nodes-deepread

SKILL.md:289

📧

Info Email 邮箱地址

[email protected]

SKILL.md:291

File Tree

1 files · 12.6 KB · 295 lines

Markdown 1f · 295L

└─ 📝 SKILL.md Markdown 295L · 12.6 KB

Security Positives

✓ Behavior is fully declared in SKILL.md - no hidden functionality

✓ No shell execution, subprocess, or system command invocation

✓ No credential harvesting beyond the required API key

✓ No base64 encoding, eval patterns, or obfuscated code

✓ No access to sensitive local paths (~/.ssh, ~/.aws, .env)

✓ No suspicious network activity beyond the declared API endpoint

✓ Uses standard HTTPS API calls with proper authentication headers

Scan Report

Findings 2 items

File Tree

Security Positives