Contracts
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is mostly a local contract organizer, but it mixes strong legal-safety limits with an instruction to perform legal risk scoring, so users should review its boundaries before relying on it.
Before installing, decide whether you want the agent to maintain a local contracts folder and calendar reminders. Do not rely on automated risk scoring or legal judgments; use it for factual extraction and tracking, protect the ~/contracts folder and backups, and only provide selected contracts or emails you are comfortable processing.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could over-trust an automated risk score or treat it as legal guidance when making contract decisions.
This directs the agent to score contract risk, which can be a legal-risk assessment and conflicts with the skill's stated no-legal-advice/no-risk-assessment posture.
Advanced features:
- Clause library lookup ("our standard arbitration language")
- Risk scoring (1-5 based on liability exposure)Remove or tightly gate risk scoring, keep outputs to factual extraction, and require explicit disclaimers and user confirmation for any legal-risk-related workflow.
Anyone with access to the local folder, backups, or extracted metadata may learn sensitive contract terms, parties, amounts, or deadlines.
The skill creates a persistent local repository and metadata index for contract contents, which is purpose-aligned but stores sensitive information for later reuse.
Create folder in ~/contracts/{name}/ ... Save as current.pdf ... Extract to meta.md: parties, effective date, term, value, renewal terms, notice period ... Add to index.mdKeep the folder private, use encryption where appropriate, review extracted metadata, and avoid storing critical identifiers such as SSNs, tax IDs, or bank details.
If used broadly, private email content could be pulled into contract analysis or summaries.
The workflow may involve email or update content, which can include private account, billing, or personal information; the artifact does not indicate automatic inbox access, so this is a user-scope notice rather than a finding of credential misuse.
Price increase detection — Scan emails/updates for rate changes
Only provide selected relevant messages or files, and do not grant broad mailbox access unless the user explicitly wants that behavior and understands the privacy impact.
Contract deadlines, party names, or file links could appear in a calendar visible on other devices or to shared calendar users.
Calendar event creation and file linking are external tool actions that fit the contract-alert purpose, but they can expose contract names or deadlines if synced to a cloud calendar.
Track dates for calendar sync: - Export critical deadlines to calendar app - Create recurring check-in reminders - Link to contract file from calendar event
Confirm the destination calendar before creating events, minimize sensitive event titles, and avoid cloud/shared calendars unless the user explicitly approves.