ClawHub

Contract Clause Extractor

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it presents mock contract-analysis output as real legal risk extraction.

Install only if you treat this as a scaffold or demo. Do not rely on its contract summaries, translations, risk scores, or negotiation suggestions for real agreements unless the publisher replaces the canned outputs with document-derived parsing and clearly labels confidence and limitations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The script advertises contract extraction, classification, and risk analysis, but the implementation returns canned and random outputs instead of processing document contents. In a legal-review workflow, this can mislead users into relying on fabricated clause and risk assessments, causing bad business or compliance decisions.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The ingest command claims files were parsed successfully after only checking existence and estimating pages from byte size. This creates a false assurance that document ingestion worked, which is especially dangerous in a contract-analysis skill where downstream review may depend on complete and accurate extraction.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The bilingual mode presents fixed sample CN/EN rows and glossary entries as if they were extracted from the provided contract. In contract review, fabricated translations can hide materially important obligations or risks and may cause users to trust incorrect multilingual summaries.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal