Back to skill

Security audit

Contract Review & Risk Flagger (UK)

Security checks across malware telemetry and agentic risk

Overview

This is a text-only UK contract review checklist with no code execution or hidden access, but users should redact sensitive contract details and confirm the contract’s jurisdiction.

Install only if you want a UK-oriented contract risk checklist, not legal advice. Confirm the governing law before relying on UK-specific findings, redact unnecessary sensitive information before pasting contracts, and consult a qualified solicitor for high-value, complex, non-UK, or binding legal questions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The README presents UK-specific legal analysis features, including UCTA 1977 and Consumer Rights Act 2015 checks, as part of the standard review flow without clearly requiring the user to confirm that the contract is governed by UK law. In a legal-review skill, silent jurisdictional assumptions can mislead users into relying on inapplicable standards, producing incorrect risk assessments and unsafe negotiation guidance.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
Flagging 'Jurisdiction outside England & Wales' as an inherent red flag makes England & Wales the implied default and treats other governing-law choices as suspicious, even though they may be normal or required for the parties. In the context of contract review, this can bias advice, distort risk scoring, and encourage users to reject valid agreements based on a hidden jurisdictional assumption.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly encourages users to paste full contract text, which commonly contains sensitive personal, financial, and commercially confidential information. Without a clear privacy warning or minimization guidance, users may disclose data they do not have authority to share or that should be redacted before submission, creating confidentiality, privacy, and compliance risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.