ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Contract Tracker

v1.0.0

Upload contract PDFs to extract and manage contract details with expiry reminders and Feishu push notifications, fully offline and secure.

0· 41·0 current·0 all-time
byYK-Global@billjamno58

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for billjamno58/contract-tracker.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Contract Tracker" (billjamno58/contract-tracker) from ClawHub.
Skill page: https://clawhub.ai/billjamno58/contract-tracker
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install contract-tracker

ClawHub CLI

Package manager switcher

npx clawhub@latest install contract-tracker
Security Scan
Capability signals
CryptoCan make purchasesRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code implements PDF parsing, local JSON storage under /tmp, and builds Feishu cards — all coherent with a 'Contract Tracker'. However SKILL.md advertises 'fully offline', yet the billing module makes external HTTP calls to skillpay.me for per-call charging. Billing/network calls are not obviously part of an 'offline' claim and should be considered inconsistent with that statement.
Instruction Scope
Runtime instructions and CLI/API usage stay within contract parsing, storage, and reminder generation. They do call the billing endpoint on actions (upload/check/export) and output Feishu card JSON when requested, but there is no code that automatically posts to Feishu — only card construction. Instructions do not reference reading unrelated files or secrets, but SKILL.md requires SKILL_BILLING_API_KEY for PRO tier which will cause network billing behavior when set.
Install Mechanism
No install spec is provided (instruction-only in registry), which is lower risk. The package includes Python scripts and a requirements.txt (PyMuPDF, requests) — nothing downloaded from an untrusted URL or using an opaque installer. Running the included code will install/require packages via normal Python tooling (pip), so review before pip-installing.
!
Credentials
SKILL.md declares SKILL_BILLING_API_KEY and SKILL_BILLING_SKILL_ID; those are used by billing.py to call skillpay.me. The registry metadata at the top, however, lists 'Required env vars: none' — that mismatch is concerning. Requesting a billing API key is proportionate to a paid tier, but you should not set the API key unless you trust skillpay.me: when set the skill will perform network billing calls.
Persistence & Privilege
The skill does not request always: true and does not modify other skills or system-wide settings. Storage is local to /tmp/contract-tracker (ephemeral) rather than the home directory; note /tmp may be accessible to other local users on some systems.
Scan Findings in Context
[OUTBOUND_NETWORK_REQUEST_skillpay] expected: billing.py issues POST requests to https://skillpay.me/api/v1/billing/charge to perform per-call charges. This is expected for a pay-per-call billing model but contradicts the 'fully offline' marketing claim.
[ENV_VAR_SKILL_BILLING_API_KEY] expected: The SKILL.md and billing.py use SKILL_BILLING_API_KEY and SKILL_BILLING_SKILL_ID to control billing behavior. This is expected for billing, but the registry metadata claims no required env vars — an inconsistency to verify.
[LOCAL_STORAGE_TMP_WRITE] expected: storage.py writes contract data to /tmp/contract-tracker/contracts.json as documented. This matches the README but note that /tmp may be world-readable on some systems (privacy consideration).
What to consider before installing
Things to consider before installing or providing credentials: - Source verification: The skill has no homepage and an unknown source. Prefer skills with a verifiable owner or project homepage. - Offline claim vs billing: SKILL.md says 'fully offline' for parsing, but the skill will contact https://skillpay.me to charge per call if SKILL_BILLING_API_KEY is set. If you need truly offline operation, do NOT set SKILL_BILLING_API_KEY (the code treats an empty key as dev mode and skips charging). - Billing trust: The skill relies on a third-party billing endpoint (skillpay.me). Only set SKILL_BILLING_API_KEY if you trust that service and are prepared for per-call charges. - Credentials & secrets: The only credential used is the billing API key; the skill does not attempt to read other system tokens. Still, avoid exposing sensitive organization-wide keys — use a dedicated low-privilege key if you test it. - Data locality & privacy: Contracts are stored under /tmp/contract-tracker. On multi-user systems /tmp may be accessible by other local users; if that is a concern, modify STORAGE_DIR to a secure path before use. - Feishu behavior: The code only formats Feishu cards; it does not automatically post messages. If you expect automatic push, verify how to integrate a Feishu bot securely (no code currently sends the card). - Registry metadata mismatch: The registry claims no required env vars but SKILL.md requires billing env vars. Ask the author to correct the manifest or explain the discrepancy. Recommended next steps: verify the maintainer/source, run the code in a sandboxed environment, and review/modify billing/env handling if you want strictly offline operation.

Like a lobster shell, security has layers — review code before you run it.

latestvk973y3gb1cbgkyvg6n66g0swsh85mx5b
41downloads
0stars
1versions
Updated 1d ago
v1.0.0
MIT-0
YK-Global@billjamno58
latest
Download

Contract Tracker (contract-tracker)

Upload contract PDFs → AI extracts key fields → Manage ledger → Expiry reminders + Feishu push

Trigger Phrases

contract ledger contract management contract tracker pdf contract contract reminder

Usage

Command Line

# Upload a contract PDF
python -m scripts.main upload /path/to/contract.pdf

# List all contracts
python -m scripts.main list

# List contracts expiring within 30 days
python -m scripts.main list --status "Active" --sort end_date

# Get contract details
python -m scripts.main get <contract_id>

# Update a contract
python -m scripts.main update <contract_id> --name "New Name" --status "Terminated"

# Delete a contract
python -m scripts.main delete <contract_id>

# Add expiry reminder
python -m scripts.main reminder <contract_id> add --days 30

# Check expiring contracts
python -m scripts.main check --days 30

# Export contracts
python -m scripts.main export --format csv -o contracts.csv

Python API

from scripts import extract_text_from_pdf, extract_contract_fields
from scripts import add_contract, get_contracts, get_contract
from scripts import update_contract, delete_contract

# Extract fields from PDF
text = extract_text_from_pdf("/path/to/contract.pdf")
fields = extract_contract_fields(text, "contract.pdf")
contract = add_contract(fields)

# List contracts
all_contracts = get_contracts(status="Active")

Contract Fields Extracted

  • Contract Name — from PDF title
  • Amount — RMB amount via regex
  • Sign Date — contract signing date
  • Start Date — effective start date
  • End Date — expiry date
  • Counterparty — other party name
  • Key Nodes — payment terms, renewal clauses (up to 5)
  • Status — Active / Expired (auto-calculated)

Supported Formats

FormatExtensionNotes
PDF.pdfText extraction via PyMuPDF

Tech Stack

  • Parsing: PyMuPDF (fitz)
  • AI Field Extraction: Regex + heuristic pattern matching (fully offline, no external AI API)
  • Storage: JSON file in /tmp/contract-tracker/ (fully offline, no home directory writes)
  • Notifications: Feishu IM card format

Tiered Features

FeatureFREEPRO
Max Contracts5Unlimited
Max Reminders1Unlimited
Export FormatsCSVCSV, XLSX, PDF
Feishu RemindersNoYes

Price: $0.01 USDT per call (PRO tier). FREE tier is free.

Get PRO: https://skillpay.me/contract-tracker

Billing

  • Endpoint: POST https://skillpay.me/api/v1/billing/charge
  • Header: X-API-Key: {api_key}
  • Body: {"user_id": "...", "skill_id": "contract-tracker", "amount": 0.01}
  • Response: {"success": true, "balance": ...}
  • Fallback: Network error → FREE tier (do not block usage)
  • Dev Mode: No API key configured → balance=999.0, no charge

Required Environment Variables

VariableDescription
SKILL_BILLING_API_KEYSkillPay Builder API Key
SKILL_BILLING_SKILL_IDSkill Slug (default: contract-tracker)

Security Notes

  • All contract data stored in /tmp/contract-tracker/ — no home directory writes
  • PDF parsing is fully offline — no external network calls during extraction
  • Feishu card push requires a Feishu bot token (configure separately)

API Key Format

Any non-empty string works as an API key. Tier is determined automatically:

  • No API key → FREE tier
  • Any API key → PRO tier

Slug

contract-tracker

Comments

Loading comments...