legal-tos-privacy

[Skill Scanner] [Documentation context] Credential file access detected This skill is functionally aligned with its stated purpose (automatically drafting ToS and Privacy Policies by auditing code and marketing), but its instructions are overly broad and lack safe-handling limits. It explicitly encourages exhaustive scanning (including environment variable references and authentication-related code) and minimizes prompts to the user, which increases the chance of silently collecting secrets or PII and then outputting them in generated documents or logs. There are no explicit redaction, consent, or network-sink controls. Verdict: SUSPICIOUS/vulnerable — acceptable for draft generation only if the runtime enforces strict read/network permissions, redaction of secrets, and explicit user consent before including any sensitive data. Recommend adding explicit rules: do not read or include secret values (API keys, private keys), redact credentials, only fetch public marketing pages unless user authorizes live site fetches, and batch all questions about sensitive items rather than prompting inline. LLM verification: [LLM Escalated] This skill's stated purpose (automatically drafting ToS and Privacy Policy by auditing project metadata and public marketing materials) is reasonable and aligned with many legitimate use cases. However, the instructions to 'infer everything possible' combined with broad file search rules (including config and .env patterns) are disproportionate and create a real risk of accessing sensitive local configuration or credentials. The static scanner flags for '.config' reinforce that the skill explici