Skillv1.0.1

ClawScan security

Contract Review Agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 18, 2026, 1:16 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared purpose (contract review, clause risk-flagging, obligation extraction, renewal tracking) matches its instructions and there are no unexpected installs, required credentials, or opaque code — it appears internally coherent.
Guidance: This skill is coherent for reviewing contracts and extracting obligations; it does not request secrets or install code. Before using it: (1) confirm whether your agent runtime will upload contract text to external services—avoid sending sensitive contracts to untrusted endpoints; (2) if you want calendar automation, expect you’ll need to provide calendar credentials separately—those are not declared here; (3) treat outputs as advisory only and involve licensed counsel for high-stakes agreements (the SKILL.md already states this); (4) if you plan to run automated PDF extraction, ensure the runtime has a trusted PDF/text-extraction tool available. If any part of the skill will be given network access or integration privileges in your environment, review that integration configuration separately.

Purpose & Capability: okName/description align with the SKILL.md capabilities (clause analysis, obligation extraction, calendar dates, executive summaries). The skill does not request unrelated credentials, binaries, or config paths.
Instruction Scope: noteInstructions stay on-topic (extract parties, terms, obligations, flags, comparison). One ambiguous item: outputs include 'Renewal Calendar: Dates loaded into calendar system' and 'Dates loaded into calendar system' without declaring any calendar integration or credentials — likely intended as an output artifact rather than an automated integration, but it's ambiguous. Also the SKILL.md shows a sample pdf command but does not require any specific PDF tool; agent behavior here depends on environment.
Install Mechanism: okInstruction-only skill with no install spec and no code files — minimal risk from install mechanism (nothing written to disk by the skill).
Credentials: okThe skill declares no required environment variables or credentials, which is consistent with being an instruction-only reviewer. Note: some suggested outputs (calendar integration, loading dates) would require credentials if automated; none are requested, so automated integrations are not part of this skill as packaged.
Persistence & Privilege: okalways is false and the skill is user-invocable; no elevated persistence or privileges are requested and the skill does not modify system/other-skill configs.