合同卫士 / Contract Guardian
Security checks across malware telemetry and agentic risk
Overview
This skill appears purpose-aligned for local contract review, with the main thing to notice being that it reads sensitive contract files and stores contract metadata locally.
This skill looks coherent for local contract review and does not show network upload or credential use. Before installing, be aware that contract contents are processed by local helper scripts and archive metadata is saved under CG_DATA_DIR by default.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can read local files that are passed to it for review or comparison.
The skill directs the agent to run local Python helper scripts on user-provided file paths. This is purpose-aligned for contract review, but users should ensure the selected paths are intended contract files.
python3 scripts/contract_parser.py --action parse --file <文件路径>
Use explicit contract file paths and avoid pointing the skill at unrelated private files.
Contract metadata may remain on the device after use and can be retrieved by the skill later.
The archive feature stores contract metadata, including parties, dates, amounts, file path, and notes, in a local JSON store for later expiry reminders and search.
"file_path": data.get("file_path"), "notes": data.get("notes"), "archived_at": now, "status": "active"Only archive contracts you want retained locally, and set CG_DATA_DIR to a suitable private directory if needed.
Even with masking of some identifiers, contract contents are processed and may be visible to the reviewing agent as part of the workflow.
The parser returns the full parsed contract text after limited masking. This is useful for review, and no external upload is shown, but users should understand that the full document content may enter the tool/agent context during processing.
result["text"] = mask_sensitive_info(result["text"])
output_success(result)Do not submit contracts unless you are comfortable with the agent processing their contents; manually redact highly sensitive sections if necessary.
If you install optional dependencies, their source and version affect the local parsing environment.
Optional PDF/DOCX support depends on external Python packages, but no pinned dependency file or install spec is provided. This is common for optional parsing support, not evidence of malicious behavior.
PDF 解析需要安装 `pdfplumber`,DOCX 解析需要安装 `python-docx`。
Install optional packages from trusted package sources and use pinned versions where possible.