ClawHub
Back to skill
v1.3.0

免费版

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:35 AM.

Analysis

This is a coherent contract-review prompt skill, but its privacy wording is concerning because confidential contracts may be sent to configured AI providers despite claims of no third-party upload.

GuidanceBefore installing or using this skill, confirm which AI provider OpenClaw will send the contract to and review that provider's privacy and retention terms. Do not upload highly confidential contracts unless you are comfortable with that provider handling the text, and consider redacting sensitive names, prices, signatures, and personal data first.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation
SeverityMediumConfidenceMediumStatusConcern
SKILL.md
数据安全吗? 文件只在本地 OpenClaw 和你配置的 AI 之间流转,不存储到第三方 ... 支持阿里云百炼、DeepSeek 等,录入 Key 就行

The privacy assurance may overstate the data-safety posture because the skill also tells users to use configured AI providers. For sensitive legal documents, that ambiguity can cause misplaced trust.

User impactUsers may rely on a broad privacy claim and submit sensitive legal or business documents without checking the AI provider's data handling terms.
RecommendationReplace the blanket privacy claim with a clear warning that contract content is sent to the user's configured AI model/provider and is subject to that provider's privacy and retention policies.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityInfoConfidenceHighStatusNote
SKILL.md
OpenClaw 配置好 AI 即可使用,支持阿里云百炼、DeepSeek 等,录入 Key 就行

The skill relies on AI provider credentials configured in OpenClaw. This is expected for an AI analysis skill, and the artifacts do not show the skill storing, logging, or misusing those keys.

User impactThe review may consume the user's configured AI provider account and send contract text under that account's policy.
RecommendationUse an AI provider account and key appropriate for confidential document processing, and avoid uploading contracts if the provider terms are unsuitable.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityMediumConfidenceMediumStatusConcern
操作说明.md
合同内容只在本地 OpenClaw 和你配置的 AI 之间流转,不上传第三方。... 支持阿里云百炼、DeepSeek 等,录入 Key 就行。

The skill processes sensitive contract contents through a configured AI provider, while the same instructions say there is no third-party upload even though named providers may be external cloud services.

User impactA user may upload confidential contracts believing they stay local, when the content could be processed by an external AI provider configured in OpenClaw.
RecommendationClarify exactly which AI provider receives the contract text, whether data is retained, and advise users to redact confidential details or use a provider with suitable privacy terms.