ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Contract Generator

v1.0.0

Generate professional freelance contracts, SOWs, and NDAs for client projects. Use when creating contracts, scope of work documents, or legal agreements for freelance engagements.

0· 1.3k·4 current·4 all-time
bySean Wyngaard@seanwyngaard
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description match the SKILL.md templates. The skill declares no environment variables, no binaries, and no install actions — all reasonable for a template generator.
Instruction Scope
SKILL.md contains only templates, usage examples, and disclaimers — it does not instruct reading unrelated files, exfiltrating data, or calling external services. Note: the header lists allowed-tools including Read, Write, Edit, Grep, Glob, and Bash; while Read/Write/Edit/Grep/Glob are reasonable for creating/editing contract files, allowing Bash is broader than strictly necessary for template generation and could permit shell execution if the agent/platform maps that capability to an actual shell.
Install Mechanism
No install spec and no code files — instruction-only reduces installation risk. Nothing is downloaded or written to disk by an installer.
Credentials
No environment variables, credentials, or config paths are requested. The scope does not require secrets or external API keys.
Persistence & Privilege
always is false and the skill requests no persistent system changes. The SKILL.md sets disable-model-invocation true (model cannot autonomously call itself for this skill), which is an unusual but safe configuration and reduces autonomous model-driven activity.
Assessment
This skill is coherent with its stated purpose: it provides contract and SOW templates and asks for no credentials or installs. However, it is not legal advice — have a qualified attorney review any contract before signing. If you are concerned about file-system or shell access, note the skill allows tools like Read/Write and Bash; on a platform that maps those to real filesystem/shell access this could let the skill read or run things on the host. If you want to be conservative, avoid installing the skill on agents with access to sensitive files, remove or restrict the Bash/tool permissions in the skill configuration if possible, and avoid pasting secrets (API keys, private client data) into prompts.

Like a lobster shell, security has layers — review code before you run it.

latestvk970acv4ekzc1f8ekcngefhfz98125kk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments