Contract Auditor

Security checks across malware telemetry and agentic risk

Overview

This skill is a local contract-review helper that reads user-provided Word/text contracts and produces reports or annotated output files, with no evidence of hidden data collection or unsafe automation.

Use this on copies of important contracts and confirm the annotated output path before running Word annotation. Treat the generated legal review as an aid, not a replacement for legal review, and consider pinning dependencies in controlled environments.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill states it can add comments directly into the original Word document, but it does not prominently warn that user files will be modified or that a new output file should be used by default. In document-processing workflows, silent modification can cause integrity, overwrite, and audit-trail problems, especially for legal contracts where preserving the original file is important.

Unpinned Dependencies

Low

Category: Supply Chain
Content: # 安装: pip install -r requirements.txt # Word 文档处理 python-docx>=1.1.0 # PDF 处理（v1.1 启用） # pdfplumber>=0.10.0
Confidence: 92% confidence
Finding: python-docx>=1.1.0

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal