Back to skill
Skillv1.0.0
ClawScan security
contract-and-proposal-writer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 3:13 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions are coherent with a contract/proposal template generator and do not request unrelated credentials or risky install behavior.
- Guidance
- This is an instruction-only template skill and appears to do what it says: generate contract/proposal text and show how to convert Markdown to DOCX. Before using: (1) Avoid pasting highly sensitive personal data (SSNs, bank credentials) into prompts — the skill only needs party names/addresses/rates. (2) If you need DOCX output, you (or your system) must install pandoc via your package manager; the skill only shows commands, it doesn't install anything itself. (3) The generated documents are templates — have a qualified attorney review high-value or complex agreements. (4) If you use local reference templates (reference.docx / company-template.docx), confirm those files are from a trusted source.
Review Dimensions
- Purpose & Capability
- okThe name/description (contract & proposal writer) match the instructions: templates, jurisdiction notes, placeholder filling, and optional DOCX conversion. There are no unrelated environment variables, binaries, or config paths requested.
- Instruction Scope
- okSKILL.md stays within its domain: it tells the agent to gather client/engagement details, populate templates, flag missing fields, and optionally convert Markdown to DOCX. It does not direct reading unrelated system files, exfiltration, or contacting external endpoints. It does reference local template files (reference.docx, company-template.docx) which are reasonable for formatting but are optional.
- Install Mechanism
- okThis is instruction-only with no install spec or embedded code. It suggests installing pandoc via package managers (brew/apt) for DOCX conversion — a standard, low-risk user action. Nothing is downloaded from arbitrary URLs or written by the skill itself.
- Credentials
- okThe skill requests no environment variables or credentials. It asks for user-supplied contract data (party names, addresses, rates, contract value), which is appropriate for its function. No unrelated secrets are requested.
- Persistence & Privilege
- okThe skill does not request permanent presence (always=false) and does not modify other skills or system-wide config. Autonomous invocation is allowed by default but not combined with other red flags.