deepread-legal 安全扫描报告 — 低风险 | ClawSafe

15 /100

deepread-legal

Extract structured data from contracts, legal agreements, court filings, and compliance documents. Pre-built schemas for parties, clauses, dates, obligations. PII redaction for privilege review.

A legitimate legal document extraction skill that sends documents to a declared third-party API. No malicious behavior detected; API key placeholders in docs are benign examples.

技能名称deepread-legal

分析耗时23.5s

引擎pi

✓

可以安装

Approve for use. Users should be aware that sensitive legal documents are transmitted to an external service (api.deepread.tech) — verify compliance requirements before processing confidential materials.

安全发现 2 项

严重性	安全发现	位置
低危	API key placeholder examples in documentation Lines 55 and 123 contain example API key formats (sk_live_your_key_here, sk_live_YOUR_KEY) as documentation placeholders. These are not actual secrets. `export DEEPREAD_API_KEY="sk_live_your_key_here"` → Consider using more clearly marked placeholder format like YOUR_API_KEY_HERE or <YOUR_KEY> to avoid confusion with real key formats.	`SKILL.md:55`
提示	External document processing User documents are transmitted to api.deepread.tech for processing. This is the core functionality but may require data handling compliance review for sensitive materials. This skill instructs the agent to POST documents to `https://api.deepread.tech` → Users should verify the service's data retention and compliance posture before processing privileged or confidential documents.	`SKILL.md:14`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	SKILL.md:14 - POSTs documents to api.deepread.tech
环境变量	`READ`	`READ`	✓ 一致	SKILL.md:metadata - requires DEEPREAD_API_KEY env var
文件系统	`NONE`	`NONE`	—	No file operations beyond reading uploaded documents
命令执行	`NONE`	`NONE`	—	No shell execution detected

2 高危 10 项发现

🔑

高危 API 密钥疑似硬编码凭证

API_KEY="sk_live_your_key_here"

SKILL.md:55

🔑

高危 API 密钥疑似硬编码凭证

API_KEY = "sk_live_YOUR_KEY"

SKILL.md:123

🔗

中危外部 URL 外部 URL

https://www.deepread.tech

SKILL.md:5

🔗

中危外部 URL 外部 URL

https://api.deepread.tech

SKILL.md:12

🔗

中危外部 URL 外部 URL

https://www.deepread.tech/dashboard/?utm_source=clawhub

SKILL.md:50

🔗

中危外部 URL 外部 URL

https://api.deepread.tech/v1/process

SKILL.md:201

🔗

中危外部 URL 外部 URL

https://www.deepread.tech/dashboard/byok

SKILL.md:273

🔗

中危外部 URL 外部 URL

https://www.deepread.tech/dashboard

SKILL.md:287

🔗

中危外部 URL 外部 URL

https://www.npmjs.com/package/n8n-nodes-deepread

SKILL.md:289

📧

提示邮箱邮箱地址

[email protected]

SKILL.md:291

目录结构

1 文件 · 12.6 KB · 295 行

Markdown 1f · 295L

└─ 📝 SKILL.md Markdown 295L · 12.6 KB

安全亮点

✓ Behavior is fully declared in SKILL.md - no hidden functionality

✓ No shell execution, subprocess, or system command invocation

✓ No credential harvesting beyond the required API key

✓ No base64 encoding, eval patterns, or obfuscated code

✓ No access to sensitive local paths (~/.ssh, ~/.aws, .env)

✓ No suspicious network activity beyond the declared API endpoint

✓ Uses standard HTTPS API calls with proper authentication headers