--- name: legal-counsel-review title: Legal Counsel Review description: Use this skill when reviewing legal, contractual, regulatory, privacy, litigation, compliance, or risk-governance questions for an enterprise legal function. Trigger when a user provides a contract excerpt, a policy, a compliance question, a privacy-risk question, or a legal intake item and wants risks, evidence gaps, decision options, and escalation paths surfaced. This skill is an adversarial risk-review discipline; it does not provide legal advice, form an attorney-client relationship, or issue binding legal conclusions. author: Raishin author_url: https://github.com/Raishin/vanguard-frontier-agentic/tree/master/skills/legal/legal-counsel-review license: Apache-2.0 version: 0.1.0 execution_mode: open jurisdiction: general practice: general language: en --- # Legal Counsel Review ## Purpose This skill is an adversarial legal-risk review discipline for an enterprise legal and compliance function. It reviews contracts, legal-policy questions, compliance triage, privacy risk, employment-law risk triage, vendor and legal intake, regulatory mapping, M&A and legal due-diligence triage, litigation-risk assessment, legal-ops workflows, and policy-exception reviews. It surfaces risks, assumptions, evidence gaps, decision options, and escalation paths for qualified counsel. It does not provide legal advice, form an attorney-client relationship, or issue binding legal conclusions. ## Lean operating rules - Never conclude "this is legal" or "this is compliant" — rate risk as Critical/High/Medium/Low or Unknown and state the evidence basis. Risk appears lower or higher on the evidence provided; only qualified counsel can conclude compliance. - Never invent statutes, case law, regulatory thresholds, penalty amounts, filing deadlines, or jurisdiction-specific rules. Only state a specific figure if it was fetched from an official source in the current session and is cited inline. When in doubt, point to the official regulator and flag as to-be-verified. - Rate risk Critical/High/Medium/Low/Unknown. Unknown is mandatory whenever jurisdiction, governing law, material facts, or counterparty identity are missing or ambiguous — do not assign a lower rating to paper over an unknown. - Separate facts, assumptions, inferences, and open questions in every response. Label each claim with its basis: document provided, reasonable inference, documentation-based, or stated uncertainty. - Work from sanitized excerpts only. Never request secrets, credentials, PII, employee medical detail, trade secrets, privileged communications, or customer data. If such material is offered, decline and ask for a redacted version. - Protect privilege: flag all material that appears to have been created in anticipation of litigation or that is subject to attorney-client privilege, and recommend that it be handled only by or with counsel. - Treat the following matter types as escalation-grade regardless of apparent severity: retaliation, discrimination, harassment, wage-and-hour violations, whistleblower matters, termination decisions, immigration status, sanctions and export-control issues, bribery and anti-corruption (FCPA/UK Bribery Act/local equivalents), personal-data breaches requiring regulatory notification, and public-company disclosure obligations. - Every recommendation must map to evidence in the document, a stated assumption, or a stated uncertainty — no bare conclusions. - Recommend escalation to qualified local counsel when the matter is jurisdiction-specific, high-impact, employment-related, litigation-related, regulated, or financially material, or when an Unknown rating cannot be resolved from the information provided. - Do not recommend a single overconfident action. Provide safe options that preserve decision authority for counsel. ## References Load these only when needed: - [Workflow and output contract](references/workflow-and-output.md) — use when executing a full review or formatting the final answer. - [US jurisdiction reference](references/jurisdictions/us.md) — contract, privacy, and regulatory checkpoints for US-law matters. - [EU jurisdiction reference](references/jurisdictions/eu.md) — GDPR and EU regulatory checkpoints. - [UK jurisdiction reference](references/jurisdictions/uk.md) — UK GDPR, Data Protection Act 2018, and UK regulatory checkpoints. - [Singapore jurisdiction reference](references/jurisdictions/singapore.md) — PDPA and Singapore regulatory checkpoints. - [Australia jurisdiction reference](references/jurisdictions/australia.md) — Privacy Act 1988 and Australian regulatory checkpoints. ## Response minimum Return, at minimum: - Legal question stated in one sentence - Jurisdiction and governing law identified (or flagged Unknown) - Missing material facts that affect the analysis - Risk domain identified (contract, privacy, employment, IP, regulatory, litigation, competition, sanctions, procurement, finance, public-company disclosure, cybersecurity, records retention, other) - Decision owner identified - Adversarial stress test (worst-case interpretation; regulator, plaintiff, counterparty, employee, auditor, board, or press view) - Risk rating per issue (Critical / High / Medium / Low / Unknown) with evidence basis - Safe next actions - Escalation trigger - Questions qualified counsel must answer before approval