Contract Check

Security checks across malware telemetry and agentic risk

Overview

This contract-review skill appears purpose-aligned and local-only, with a manageable privacy consideration around saved review settings.

Before installing, treat the saved configuration as sensitive business data. Use it only in a trusted workspace, avoid storing confidential negotiation thresholds unless needed, and remove the local config when it should no longer be reused.

SkillSpector

By NVIDIA

Vulnerability Patterns

Rogue AgentSelf-Modification, Session Persistence
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill persists company-specific legal and commercial risk preferences to a local file without explicitly warning the user that the data will be stored and retained. This can expose sensitive internal business rules, negotiation thresholds, and contract positions to unintended local access or future reuse beyond the user's expectations.

Session Persistence

Medium

Category: Rogue Agent
Content: metadata: permissions: - file:read - file:write behavior: network: none telemetry: none
Confidence: 93% confidence
Finding: write behavior: network: none telemetry: none credentials: none --- # 通用合同审核技能为企业提供可定制的商务合同系统化风险审查。 ## ⛔ MANDATORY GATE — 初始化检查（不可跳过） **每次用户要求审核合同时，执行以下检查：** 1. 用 `exec` 检查配置文件是否存在

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal