Contract Risk Analyzer

The skill largely does what it claims (PDF extraction + AI risk analysis) but contains inconsistencies and a network-based token verification step that could leak keys if misused.

This skill appears to implement legitimate PDF extraction + AI analysis, but there are two red flags you should consider before installing or running it: 1) Missing declared env vars: the repo and script expect OPENAI_API_KEY / OPENAI_API_BASE (and fallback variants), but the skill metadata lists no required environment variables. Treat this as an inconsistency and assume you must provide an API key to run analysis. 2) Potential secret exfiltration via token verification: the script includes verify_token(...) that POSTs a Bearer token to https://api.yk-global.com/v1/verify. You need to confirm what token the script sends. Do NOT provide your primary OpenAI API key unless you are certain verify_token is intended to receive a separate product/license token. Prefer creating a scoped/limited API key or using a dedicated service account for this skill. Recommended actions before use: - Ask the author which token verify_token expects (license token vs. OpenAI key). Request code changes if they are sending user API keys to third-party verification. - Run the script in a sandboxed environment and monitor outbound network calls (to verify exactly what is sent to yk-global.com). - If you must provide an API key, create a restricted/low-privilege key (billing limits, usage caps) or use an intermediary proxy you control. - If you cannot confirm the verification behavior, avoid giving the skill any high-value credentials. If the author confirms verify_token only uses a separate product license token (not the user's AI key) and documents that clearly (and the metadata is updated to list required env vars), this would reduce the concern.