ClawHub

Contract Risk Helper

v1.0.1

Contract Risk Helper — scan contracts for common risk clauses. Triggers on 合同风险、合同审查、条款风险、帮我看合同、合同检查. Read-only local analysis, no network calls, no credenti...

0· 322·0 current·0 all-time
byhaidong@harrylabsj·duplicate of @harrylabsj/study-reminder
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (contract risk scanning) matches the provided code and reference material. The handlers implement pattern matching for common contract clauses and return categorized results; nothing in the package requests unrelated capabilities (no cloud credentials, no unrelated binaries).
Instruction Scope
SKILL.md directs only local pattern matching over user-provided contract text. The runtime code (handler.py and scripts/scanner.js) only reads in text arguments and applies regexes; it does not read system files, environment variables, or contact external endpoints. The SKILL.md claim of 'no network calls, no exec' is consistent with the code (there are shebang lines in scripts but no subprocess or shell.exec usage).
Install Mechanism
No install spec is present (instruction-only from platform perspective) and included code has no external download or package-install behavior. Files are plain source code and tests; nothing is fetched from arbitrary URLs or written to unexpected locations.
Credentials
No required environment variables, credentials, or config paths are declared or used. The skill appropriately requests no secrets given its stated purpose.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It is user-invocable and can be invoked autonomously per platform defaults, which is expected for this kind of skill.
Assessment
This package appears to do exactly what it says: local regex-based identification of common contract risks. Before installing or running, consider: (1) the skill will process whatever contract text you provide — avoid submitting extremely sensitive or regulated data unless you trust the host environment, (2) verify your platform does not inadvertently log or transmit skill inputs (the code itself does not transmit data), and (3) note small non-security oddities (skill.json version differs from registry version and the references file exists but is not programmatically used). If you need legal certainty, use this as a preliminary tool only and consult a qualified attorney.

Like a lobster shell, security has layers — review code before you run it.

latestvk9703rq4xp3gfzvpsn0vhcx1zs83yhq9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments