AI合同智能审查助手

Security checks across malware telemetry and agentic risk

Overview

The skill’s contract-review purpose is legitimate, but it handles sensitive legal documents while claiming offline/local use despite network-capable tools and a generated report that loads external JavaScript.

Install only if you are comfortable giving the skill access to contract text and local contract files. Avoid using it for privileged, regulated, or highly confidential contracts unless you disable network use or understand that URL handling and the generated HTML report may contact external resources; also remember the report file may remain on disk and should be deleted or stored securely.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The skill substantially overclaims what it does versus what is actually implemented/documented by the analyzer, creating a trust gap that can mislead users into uploading sensitive contracts under false assumptions about processing, output, and legal review depth. Security-relevant mismatches are dangerous because users may disclose confidential legal documents or rely on nonexistent safeguards, analysis quality, or reporting features.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: Claiming the skill is 'fully local' and 'offline-capable' while enabling WebSearch/WebFetch and URL-based intake can mislead users handling highly confidential contracts into believing no network exposure is possible. In a legal-document review context, that discrepancy increases the risk of inadvertent external transmission or retrieval of sensitive material.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The same-file contradiction between offline/local marketing and documented network behavior undermines informed consent and safe handling expectations. For contract review, users often process privileged or commercially sensitive text, so ambiguity about network use materially increases privacy and data-handling risk.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger phrases include very common requests such as '帮我看看合同', '合同分析', and '合同审核', which are broad enough to match ordinary user messages that may not explicitly intend to invoke this specific skill. In an agent environment, overly broad activation can cause the skill to process sensitive contract text unexpectedly, increasing the chance of unintended invocation, privacy exposure, or workflow hijacking from more appropriate skills.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill writes an HTML report to the working directory without clearly warning the user, which can leave sensitive contract content and analysis artifacts stored on disk unexpectedly. In legal workflows, silent local persistence is a meaningful confidentiality risk because reports may be accessible to other local users, backups, sync services, or later processes.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill processes uploaded contract text, local files, and URLs but does not provide a privacy warning about handling potentially confidential, privileged, or regulated information. Because contracts commonly contain trade secrets, personal data, and sensitive negotiation terms, the absence of a clear privacy/data-handling notice can lead users to expose highly sensitive information without informed consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal