Back to skill

Security audit

Contract Review

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only contract review skill whose sensitive behavior is limited to user-supplied contract text or a user-chosen file path.

Install only if you are comfortable having your AI agent process the contracts you provide. Prefer pasting only the needed text or selecting a specific intended file, avoid unrelated folders or sensitive extras, and treat the output as a first-pass review rather than legal advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README markets the skill as a fast contract analyst that provides risk scoring, missing-clause detection, and negotiation guidance, but it does not disclose that AI output can be incomplete, inaccurate, or not a substitute for qualified legal review. In a legal-decision context, users may over-rely on the output and make signing or negotiation decisions that expose them to financial, compliance, or liability risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly asks users to provide a file path to a contract, which encourages reading local filesystem content that is likely highly sensitive, but it does not disclose the privacy and data-handling implications. This creates a real security and privacy risk because users may expose confidential legal agreements, pricing, IP terms, or personal data without informed consent or scope limitations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.