contract-review-cn

This skill's purpose and code largely align (it parses files and sends text to an LLM to produce risks and suggested edits), but there are configuration inconsistencies you should fix before use: - API key handling: SKILL.md asks you to put the API key into config.json, but the code never reads config['api_key'] when constructing the LLM client. The LLM client will likely use environment variables (e.g., OPENAI_API_KEY). Either set the expected environment variable or modify the code to securely read the key from your configuration or secret store. - Model vs provider mismatch: config.example.json sets api_provider='openai' but the default model value is 'zai/glm-4.7-flash' (not an OpenAI model). Confirm which provider and model you intend to use and update both the config and code accordingly. - Privacy: the analyzer sends the full extracted contract text to an external LLM. Do not run confidential or highly sensitive contracts against this skill until you confirm the provider, where data is sent, and your data-retention policy with that provider. - Test safely: run the demo on non-sensitive sample contracts locally first. Inspect and, if desired, patch the _call_ai_model method to explicitly pass credentials from config (or to use a local/private model endpoint) so behavior matches the docs. - Dependency hygiene: pip-installing requirements is normal, but audit dependency versions (langchain/langchain-openai) and run in an isolated environment (virtualenv) to reduce supply-chain risk. If you need, I can point to exactly where to modify the code so config.api_key is used and how to ensure the skill targets the intended model/provider.