Redline Contract
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a local contract-redlining skill with no evidence of hidden network access or exfiltration, but it will read and create files containing contract text.
This skill looks appropriate for local DOCX contract review. Before installing or using it, make sure you are comfortable with it creating local files that contain contract text, review the redlined outputs before sharing them, and install any needed Python dependencies only from trusted sources.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can create redlined contract files and risk reports that may be shared or relied on in negotiations.
The skill instructs the agent to run a local Python helper that reads a DOCX and writes amended/report files. This is expected for contract redlining, but it is still file mutation authority that users should review.
python scripts/contract_review_pipeline.py materialize --input <contract.docx> --review-json <contract.review.json> --amended-output <contract.amended.docx> --report-output <contract.risk-report.docx>
Use separate output filenames, review tracked changes and reports before sharing them, and keep a copy of the original contract.
Sensitive contract language and comments may remain in the generated .review.json file after the redline is complete.
The review JSON stores extracted contract paragraph text and Word comment data for later materialization. This is purpose-aligned, but it creates a persistent sidecar file containing potentially confidential legal content.
"source_text": source_text, "paragraph_indexes": paragraph_indexes, "target_paragraph_index": target_index, ... "opponent_comments": extract_comment_threads(
Store generated review JSON files in a private location and delete or archive them according to your confidentiality requirements.
A user may need to install a Python dependency manually, which introduces normal package-source trust considerations.
The package is presented as having no install requirements, while the included script imports an external Python library. This is a setup documentation gap rather than evidence of malicious behavior.
Required binaries (all must exist): none Required env vars: none Install specifications No install spec — this is an instruction-only skill.
If a dependency is needed, install it from a trusted package index and prefer a pinned or documented version.