Back to skill

Security audit

Contract Renewal Agent

Security checks across malware telemetry and agentic risk

Overview

This is a local contract-tracking skill whose file writes and record changes are disclosed and fit its purpose, though users should back up the local database and confirm deletions carefully.

Install only if you are comfortable keeping contract names, counterparties, dates, values, and notes in a local JSON file. Back up ~/.openclaw/workspace/contract-renewal-agent/contracts.json regularly, and require clear confirmation before allowing update or delete actions on important records.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises local JSON storage, a writable database path, and tools such as add/update/delete, but declares no permissions. That mismatch can prevent users or the platform from understanding the skill's real file-write capability, increasing the chance of unintended modification of local data and weakening security review and consent.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documented delete_contract capability enables permanent removal of tracked contract records, yet the skill provides no warning about irreversibility, confirmation flow, or recovery options. In a contract-management context, accidental or induced deletion could erase business records, disrupt renewal tracking, and cause missed deadlines or loss of audit history.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.