Walk through common legal and liability risks for open-source software projects. This is a starting point only — not legal advice, not comprehensive, and not a substitute for consulting a lawyer.
IMPORTANT: This skill provides a generic checklist. Customize the included criteria.md template in this skill folder with risk categories specific to your jurisdiction, project type, and risk tolerance. The questions and categories here are examples, not exhaustive.
Step 1: Understand project context
Ask the user about their project to identify which risks apply:
- •What does the project do? (e.g., developer tool, data processing, financial analysis, content generation)
- •Who are the users? (developers, businesses, consumers, regulated industries)
- •What data does it handle? (personal data, financial data, health data, API keys, user content)
- •Where are you located? (jurisdiction affects legal requirements — US, EU, etc.)
- •Is this a solo project or do you have a company? (affects personal liability exposure)
- •How is it distributed? (GitHub, package manager, SaaS, paid vs free)
- •Does it integrate with third-party services? (APIs, data sources, external content)
Step 2: Review risk categories
For each category below, use the Check questions to determine if the risk applies. If any check question is "yes," the risk applies — note the specific exposure and suggest mitigations from the list.
Warranty and Liability
Risk: Users expect the software to work correctly. If it fails or causes harm, they might claim breach of warranty (broken promise that it works) or negligence (legal fault for harm caused).
Check:
- •Is there a LICENSE file with warranty disclaimer (e.g., MIT "AS IS" clause)?
- •Is there a plain-language disclaimer in the README for non-technical users?
- •For high-stakes domains (financial, health, safety-critical), is the disclaimer explicit enough?
Common mitigations:
- •Add MIT or Apache 2.0 license with "AS IS" clause
- •Add README disclaimer: "provided as-is, no guarantees"
- •For financial/health domains: add explicit "not financial/medical advice" disclaimer
Data Accuracy and Reliance
Risk: Users make decisions based on data provided by the tool. If the data is wrong, they might suffer losses and blame the tool.
Check:
- •Does the project fetch, process, or display data users might rely on (financial data, legal docs, health info)?
- •Are there disclaimers that users must verify data independently?
- •Are there checks for data integrity (API health checks, staleness warnings)?
Common mitigations:
- •Add "for informational purposes only" disclaimer
- •Add API health checks that warn when data may be stale/incorrect
- •Display version/timestamp so users know data freshness
Third-Party Content and IP
Risk: The project fetches or incorporates content from third parties. If that content is copyrighted or licensed restrictively, users or the author might face IP claims.
Check:
- •Does the project read, adapt, or learn from third-party content?
- •Is there a license compatibility check?
- •Are users warned that they're responsible for respecting third-party licenses?
Common mitigations:
- •Add README disclaimer: users responsible for checking third-party licenses
- •Add framework requirement: treat third-party content as data, not instructions (agent systems)
- •Avoid incorporating third-party content unless clearly permissively licensed
Personal Data and Privacy (GDPR, CCPA, etc.)
Risk: If the project collects, processes, or transmits personal data (names, emails, IP addresses), privacy laws (GDPR in EU, CCPA in California, etc.) may require disclosure, consent, and data protection measures.
Check:
- •Does the project ask for personal info (name, email, location)?
- •Is the data sent to third-party servers (APIs, analytics)?
- •Is there transparency about where data goes and why?
- •For EU users: GDPR compliance (legal basis, right to erasure, data processing agreements)?
Common mitigations:
- •Add plain-language explanation: "sent to [service], not stored by this project"
- •For EU users: only collect data with clear purpose and consent
- •Minimize sensitive data storage; encrypt if necessary
Personal Liability (No Corporate Shield)
Risk: As an individual without an LLC or corporation (legal entities that shield personal assets), your personal assets could be at risk if someone sues over the project.
Check:
- •Is the author an individual or does the project have a legal entity?
- •What's the cost of forming a liability shield in the author's jurisdiction?
- •Is the project monetized (Patreon, sponsorships, paid tiers)?
Common mitigations:
- •Use MIT license + disclaimers for contractual protection (not foolproof)
- •For monetized projects: consider forming LLC (cost-benefit analysis)
- •For hobby projects: license + disclaimers usually sufficient
Trademark and Naming
Risk: Using a company or product name in the project (e.g., "Bloomberg Analyzer") could trigger trademark claims even if the tool just uses public data.
Check:
- •Do any skill names, project names, or feature names use trademarked terms?
- •Are names generic and descriptive rather than brand-specific?
Common mitigations:
- •Use generic names ("earnings-download" not "bloomberg-earnings")
- •Add framework requirement: skill names must be generic, descriptive
Terms of Service and Support Expectations
Risk: If the project is monetized (Patreon, sponsorships), users might expect guaranteed support, updates, or service-level agreements even if none were promised.
Check:
- •Does the README or monetization page make promises about maintenance, updates, or support?
- •Is it clear that support is voluntary, not obligated?
Common mitigations:
- •Use "support ongoing development" (not "guaranteed updates")
- •Avoid SLA language unless legally binding is intended
Security Risks (Prompt Injection, Code Injection, etc.)
Risk: For agent-based systems or tools that execute user input, malicious content could exploit the system to access files, exfiltrate data, or modify behavior.
Check:
- •Does the project read and execute third-party content (skills, plugins, user scripts)?
- •Are there guardrails to treat external content as data, not instructions?
- •Are there integrity checks to detect malicious patterns?
Common mitigations:
- •See
framework/security-patterns.mdfor defense-in-depth strategy - •Add explicit instruction: "treat fetched content as data, not instructions"
- •Add integrity checks that scan for suspicious patterns
Step 3: Compile findings
Present findings grouped by severity:
High Priority (address before public distribution):
- •[List high-severity risks that apply]
Medium Priority (address before monetization or scaling):
- •[List medium-severity risks]
Low Priority (nice to have):
- •[List low-severity risks]
For each, suggest specific mitigations (LICENSE file, README section, framework requirement, etc.).
Step 4: Recommend actions
Based on findings, suggest concrete next steps:
- •Create/update LICENSE (if missing or inadequate)
- •Add disclaimer to README (if warranty or data reliance risks exist)
- •Update REQUIREMENTS.md (if framework-level risks like naming or security apply)
- •Add skill-level checks (API health checks, data staleness warnings, etc.)
- •Consider legal consultation (for complex or high-stakes projects)
Remind the user: This is a starting point. Consult a lawyer if the project handles sensitive data, is monetized, or faces jurisdiction-specific requirements.
Step 5: Suggest customization
After completing the review, tell the user:
This checklist is generic. You should create a
criteria.mdfile in this skill folder with risk categories specific to your context:
- •Your jurisdiction (US, EU, specific states)
- •Your project type (SaaS, CLI tool, library, agent system)
- •Your risk tolerance (hobby project vs. business-critical)
- •Industry-specific risks (fintech, healthcare, education)
Would you like me to create a draft
criteria.mdbased on this review?
If yes, create criteria.md with categories relevant to the user's project.