← Back to Skills Marketplace
84
Downloads
1
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install legal-tos-differ
Description
Fetches Terms of Service documents, stores snapshots, and performs semantic diffing to identify meaningful legal changes across Privacy Risks, Financial Chan...
README (SKILL.md)
Legal/TOS Diff-er
This skill tracks changes in Terms of Service and legal documents by fetching pages, extracting the legal text, and comparing versions semantically.
What It Does
- Fetches legal documents from tracked URLs
- Extracts clean legal text, stripping navigation, ads, and page noise
- Stores timestamped snapshots for historical comparison
- Compares versions using semantic analysis (not just text diffs)
- Categorizes changes into Privacy Risks, Financial Changes, and User Rights
How It Works
- Use
add_urlto start tracking a legal document - Use
fetch_currentto capture the first snapshot - Later, use
diffto fetch the current version and compare it against the previous snapshot - The Claude Code runtime receives a structured comparison prompt and performs the semantic analysis
Change Categories
| Category | Covers |
|---|---|
| Privacy Risks | Data collection, sharing, tracking, cookies, third-party data usage |
| Financial Changes | Pricing, fees, billing, refunds, payment terms, auto-renewal |
| User Rights | Account termination, content ownership, arbitration, governing law |
Usage Guidance
This skill appears to do what it says: it will fetch whatever URL you tell it, extract text, and write JSON snapshots to a snapshots directory (by default inside the skill folder, or to the path you set via TOS_DATA_DIR). Before installing or running it, consider: (1) network exposure — because it fetches arbitrary URLs, do not run it in an environment that has access to internal services you don't want probed (risk: SSRF/internal resource enumeration); (2) data persistence — snapshots store full extracted text on disk, which may contain sensitive content; set TOS_DATA_DIR to a controlled path or ensure proper disk permissions/rotation; (3) review or sandbox the code locally if you need higher assurance (the code is small and readable); and (4) only add/tracking URLs you trust and monitor snapshot storage for sensitive data.
Capability Analysis
Type: OpenClaw Skill
Name: legal-tos-differ
Version: 1.0.0
The skill is designed to monitor and diff legal documents but exhibits significant security vulnerabilities. Specifically, the tool definitions in `SKILL.md` are vulnerable to shell injection because the `url` and `label` arguments are placed directly into a command string without apparent sanitization. Furthermore, the skill is highly susceptible to indirect prompt injection in `prompts.js`, as it fetches arbitrary content from the internet and feeds it directly into the AI agent's context. While there is no evidence of intentional malice, these flaws represent high-risk behaviors that could be exploited to execute unauthorized commands or manipulate the agent.
Capability Tags
Capability Assessment
Purpose & Capability
Name and description match the actual behavior: the code fetches web pages, extracts legal text with cheerio, stores timestamped snapshots, and builds prompts for semantic diffing. Declared dependencies (cheerio, node-fetch) are appropriate for the task.
Instruction Scope
SKILL.md exposes commands that map directly to handler.js actions (add/list/fetch/diff/remove). The runtime does exactly what the description says and does not attempt to read unrelated system files. Minor inconsistency: the implementation honors an override environment variable (TOS_DATA_DIR) for storage location, but the skill metadata listed no required env vars and SKILL.md does not document this override.
Install Mechanism
Instruction-only install spec (no installer) and shipped source files: no network install step or arbitrary archive downloads are present. Dependencies are standard npm packages listed in package.json/lockfile.
Credentials
The skill requests no credentials or special config paths. The only environment variable used is an optional storage override (TOS_DATA_DIR), which is reasonable for controlling where snapshots are saved. No secret names or unrelated cloud credentials are requested.
Persistence & Privilege
The skill is not always-enabled and does not modify other skills or global agent settings. It writes snapshot files into its own snapshots directory (by default under the skill directory, or to TOS_DATA_DIR if set), which is normal for this use case — but storing fetched page contents on disk means sensitive data could be persisted if tracked URLs point to internal resources.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install legal-tos-differ - After installation, invoke the skill by name or use
/legal-tos-differ - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
# Legal/TOS Diff-er
A semantic diff tool for Terms of Service and legal documents. Unlike standard text diffs that spot character changes, this skill understands legal meaning — catching when "may" becomes "will" in a data-sharing clause or when a forced arbitration clause quietly appears.
## The Problem
Companies update their Terms of Service frequently, and the changes are often buried in pages of dense legal text. A standard code diff looks for character changes, but legal changes require **semantic understanding**:
- Changing "may share data" to "will share data" is a single word, but a massive privacy shift
- Adding "mandatory arbitration" to a dispute section strips users of their right to sue
- Changing a refund policy from "within 30 days" to "at our discretion" eliminates a financial right
## How It Works
```
┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Fetch URL │────▶│ Extract │────▶│ Snapshot │────▶│ Compare │
│ (node-fetch)│ │ (cheerio) │ │ (JSON) │ │ (Claude) │
└─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘
```
1. **Fetch** — Retrieves the legal page HTML
2. **Extract** — Two-pass engine strips noise (nav, ads, popups) and scores content blocks to isolate legal text
3. **Snapshot** — Stores timestamped versions with SHA-256 hashes
4. **Compare** — Outputs a structured prompt for Claude to semantically analyze changes
## Change Categories
| Category | What It Detects | Example |
|----------|----------------|---------|
| **Privacy Risks** | Data collection, sharing, tracking, cookies | "may share" → "will share" with third parties |
| **Financial Changes** | Pricing, fees, billing, refunds, auto-renewal | "30-day refund" → "at our discretion" |
| **User Rights** | Termination, ownership, arbitration, governing law | New mandatory arbitration clause |
## Quick Start
### Commands
```
# Track a new legal document
add_url --url "https://example.com/terms" --label "Example Corp TOS"
# See what you're tracking
list_tracked
# Capture the current version
fetch_current --url "https://example.com/terms"
# Compare current version against last snapshot
diff --url "https://example.com/terms"
# Stop tracking
remove_url --url "https://example.com/terms"
```
## Installation
```bash
cd legal-tos-differ
npm install
```
Requirements: Node.js 18+
## Architecture
### Extraction Engine
The extraction engine uses a two-pass approach with Cheerio:
1. **Noise Removal** — Strips `<nav>`, `<footer>`, `<script>`, and elements with noise-related classes/IDs (sidebar, cookie, popup, etc.)
2. **Content Scoring** — Scores remaining block elements by:
- Text density (legal text is text-heavy, not link-heavy)
- Legal keyword frequency ("terms", "agreement", "liability", etc.)
- Link density penalty (too many links = navigation, not legal text)
- Structural hints (`<main>`, `<article>`, legal-related IDs/classes)
### Snapshot Storage
Snapshots are stored as JSON files in `snapshots/`:
```
snapshots/
registry.json # Tracked URLs metadata
example-com-terms-2026-04-11T17-00.json # Timestamped snapshot
```
Each snapshot includes the full extracted text, SHA-256 hash, and fetch metadata. The hash enables instant "no changes" detection without invoking the LLM.
### Analysis Prompting
The skill builds a structured prompt that delegates semantic analysis to the Claude Code runtime. The prompt instructs the LLM to:
- Ignore cosmetic changes (typos, formatting, reordering)
- Ignore clarifying language that doesn't change legal meaning
- Flag removals of user protections as higher severity
- Quote specific old/new text for each change
## License
MIT
Metadata
Frequently Asked Questions
What is Legal/TOS Diff-er?
Fetches Terms of Service documents, stores snapshots, and performs semantic diffing to identify meaningful legal changes across Privacy Risks, Financial Chan... It is an AI Agent Skill for Claude Code / OpenClaw, with 84 downloads so far.
How do I install Legal/TOS Diff-er?
Run "/install legal-tos-differ" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Legal/TOS Diff-er free?
Yes, Legal/TOS Diff-er is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Legal/TOS Diff-er support?
Legal/TOS Diff-er is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Legal/TOS Diff-er?
It is built and maintained by Peter Lum (@liverock); the current version is v1.0.0.
More Skills