fix(legal): UPL-safe language and whistleblower carveout alignment

Targeted edits to reduce legal risk exposure in the legal plugin.

Changes:

1. UPL-safe language (2 files)
   - Changed "assess risk" → "classify risk factors" in plugin descriptions
   - Classification framing positions the tool as organizing information
     rather than rendering legal judgment

2. Whistleblower carveout (2 files)
   - Updated NDA default carveouts to explicitly note that no advance
     notice is required for regulatory/whistleblower disclosures
   - Addresses SEC Rule 21F-17(a) which prohibits NDAs that impede SEC
     whistleblower communications
   - Reflects active enforcement: 7 companies paid $3M+ in Sept 2024
     (https://www.sec.gov/newsroom/press-releases/2024-118)
   - DOJ and OSHA issued joint statement (Jan 2025) targeting NDAs that
     deter whistleblower reporting

No functional changes. All edits are to guidance text and defaults.

Author: stevenobiajulu

README.md

@@ -19,7 +19,7 @@ We're open-sourcing 11 plugins built and inspired by our own work:
 | **[customer-support](./customer-support)** | Triage tickets, draft responses, package escalations, research customer context, and turn resolved issues into knowledge base articles. | Slack, Intercom, HubSpot, Guru, Jira, Notion, Microsoft 365 |
 | **[product-management](./product-management)** | Write specs, plan roadmaps, synthesize user research, keep stakeholders updated, and track the competitive landscape. | Slack, Linear, Asana, Monday, ClickUp, Jira, Notion, Figma, Amplitude, Pendo, Intercom, Fireflies |
 | **[marketing](./marketing)** | Draft content, plan campaigns, enforce brand voice, brief on competitors, and report on performance across channels. | Slack, Canva, Figma, HubSpot, Amplitude, Notion, Ahrefs, SimilarWeb, Klaviyo |
-| **[legal](./legal)** | Review contracts, triage NDAs, navigate compliance, assess risk, prep for meetings, and draft templated responses. | Slack, Box, Egnyte, Jira, Microsoft 365 |
+| **[legal](./legal)** | Review contracts, triage NDAs, support compliance workflows, classify risk factors, prep for meetings, and draft templated responses. | Slack, Box, Egnyte, Jira, Microsoft 365 |
 | **[finance](./finance)** | Prep journal entries, reconcile accounts, generate financial statements, analyze variances, manage close, and support audits. | Snowflake, Databricks, BigQuery, Slack, Microsoft 365 |
 | **[data](./data)** | Query, visualize, and interpret datasets — write SQL, run statistical analysis, build dashboards, and validate your work before sharing. | Snowflake, Databricks, BigQuery, Hex, Amplitude, Jira |
 | **[enterprise-search](./enterprise-search)** | Find anything across email, chat, docs, and wikis — one query across all your company's tools. | Slack, Notion, Guru, Jira, Asana, Microsoft 365 |

legal/commands/triage-nda.md

@@ -43,7 +43,7 @@ The NDA playbook should define:
 - Defaults applied:
   - Mutual obligations required (unless the organization is only disclosing)
   - Term: 2-3 years standard, up to 5 years for trade secrets
-  - Standard carveouts required: independently developed, publicly available, rightfully received from third party, required by law
+  - Standard carveouts required: independently developed, publicly available, rightfully received from third party, legal compulsion (with notice where permitted; no notice required for regulatory or whistleblower disclosures)
   - No non-solicitation or non-compete provisions
   - No residuals clause (or narrowly scoped if present)
   - Governing law in a reasonable commercial jurisdiction

legal/skills/legal-risk-assessment/SKILL.md

@@ -1,11 +1,11 @@
 ---
 name: legal-risk-assessment
-description: Assess and classify legal risks using a severity-by-likelihood framework with escalation criteria. Use when evaluating contract risk, assessing deal exposure, classifying issues by severity, or determining whether a matter needs senior counsel or outside legal review.
+description: Identify and classify legal risk factors using a severity-by-likelihood framework with escalation criteria. Use when reviewing contract risk, summarizing deal exposure, classifying issues by severity, or flagging when a matter should be routed to senior counsel or outside legal review.
 ---
 
 # Legal Risk Assessment Skill
 
-You are a legal risk assessment assistant for an in-house legal team. You help evaluate, classify, and document legal risks using a structured framework based on severity and likelihood.
+You are a legal risk assessment assistant for an in-house legal team. You help identify, classify, and document legal risk factors using a structured framework based on severity and likelihood.
 
 **Important**: You assist with legal workflows but do not provide legal advice. Risk assessments should be reviewed by qualified legal professionals. The framework provided is a starting point that organizations should customize to their specific risk appetite and industry context.
 

legal/skills/nda-triage/SKILL.md

@@ -36,7 +36,7 @@ All of the following carveouts should be present:
 - [ ] **Prior possession**: Information already known to the receiving party before disclosure
 - [ ] **Independent development**: Information independently developed without use of or reference to confidential information
 - [ ] **Third-party receipt**: Information rightfully received from a third party without restriction
-- [ ] **Legal compulsion**: Right to disclose when required by law, regulation, or legal process (with notice to the disclosing party where legally permitted)
+- [ ] **Legal compulsion**: Right to disclose when required by law, regulation, or legal process (with notice where permitted; no notice required for regulatory or whistleblower disclosures)
 
 ### 5. Permitted Disclosures
 - [ ] **Employees**: Can share with employees who need to know