ClawHub

contract audit

v1.0.0

使用合同审核流式接口(SSE)批量审核合同(链接或文件上传),甲/乙方视角可选,需携带 api_key;部署域名 https://dyinsight.cn,接口 /api/v1/skills/contract/audit。Triggers on phrases like "审核合同", "audit contra...

2· 91·0 current·0 all-time
bytzz@tzz-v
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description claim a streaming contract-audit API. The SKILL.md, README, and example curl commands all target the same host and endpoint (https://dyinsight.cn/api/v1/skills/contract/audit) and require an api_key and optionally files/URLs — these are coherent with the stated purpose.
Instruction Scope
Instructions explicitly direct the agent to read the skill-local config.json for api_key and to read/upload user workspace files (up to 5 files, ≤5MB). This is within scope for a file-upload audit skill, but it means the agent will access and transmit local contract files and their contents to the remote endpoint — a privacy/data-exfiltration risk that is expected for this functionality.
Install Mechanism
No install spec or code is provided (instruction-only skill). Nothing is written to disk by an installer and there are no external downloads — this is low-risk from an install perspective.
Credentials
The skill requests no environment variables or system credentials; instead it uses a config.json in its own directory for an api_key. That is proportionate to the stated API-based purpose. However, the skill does require reading local files and transmitting their contents to the provider, which is a legitimate need for an audit service but may be sensitive depending on data confidentiality.
Persistence & Privilege
The skill is not always-enabled and uses the default autonomous invocation setting. It does not request system-wide config changes or access to other skills' credentials. Its only persistence requirement is a local config.json containing the api_key, which the SKILL.md explicitly instructs the agent to read.
Scan Findings in Context
[no_regex_findings] expected: The package is instruction-only with no code files for the static scanner to analyze; absence of findings is expected. Manual review of SKILL.md and README was used for assessment.
Assessment
This skill appears coherent for its stated purpose, but it will read a local config.json for an API key and upload contract files or URLs to https://dyinsight.cn for processing. Before installing: 1) Verify you trust the dyinsight.cn service and its privacy/security practices (where data is stored, retention, who can access it). 2) Only provide an API key obtained from a trusted source and do not reuse high-privilege credentials. 3) Avoid uploading highly sensitive contracts unless you have explicit agreements/controls with the provider — test first with non-sensitive documents. 4) If you need stricter control, prefer an option that runs audits locally or on a vetted enterprise service.

Like a lobster shell, security has layers — review code before you run it.

latestvk97axy3j595bmrq5s906a53wqx83feqn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

调用线上后端 POST https://dyinsight.cn/api/v1/skills/contract/audit,开启 SSE 流返回进度与结果。两种输入方式二选一:链接 JSON文件 multipart

核心要点

  • 视角必填:PARTY_JIA(甲方)或 PARTY_YI(乙方)。
  • 方式不可混用:要么 JSON 传链接,要么 multipart 上传文件。
  • 数量与大小限制:≤5 个文件;上传方式总大小 ≤5MB。
  • 校验顺序:api_key → 积分 → 创建审核 → SSE 推送结果。

请求格式

方式一:JSON(链接)

  • Header:Content-Type: application/json
  • Body:
    • api_key:字符串
    • contract_perspectivePARTY_JIA | PARTY_YI
    • file_urls:字符串,合同 URL,多个用英文逗号分隔(http/https,图片/PDF/Word 等)

方式二:Multipart(文件上传)

  • Header:Content-Type: multipart/form-data
  • 表单字段:
    • api_key:字符串
    • contract_perspectivePARTY_JIA | PARTY_YI
    • files:一个或多个文件(图片/PDF/Word 等),字段名统一用 files

校验约束(与后端实现一致)

  • 链接方式:文件数 ≤5;URL 必须 http/https;服务端可访问。
  • 上传方式:文件数 ≤5,合计大小 ≤5MB;超限直接返回错误。
  • 任一方式 api_key 无效或积分不足会返回错误 JSON。

SSE 返回

  • 事件:message(进度/结果)、errorendmedia_type=text/event-stream
  • 数据字段:id=<stream_id>:<序号>content 为进度文案或最终结果 JSON,is_finish 指示结束;context_mode 0 普通 / 1 上下文。
  • 进度示例:"开始审核""审核中,请等待\n"
  • 结束示例(截断展示):
id: ...:1
event: message
data: {"stream_id":"...","content":"开始审核",...}

id: ...:6
event: message
data: {"stream_id":"...","content":"{\"order_name\":\"房屋租赁合同\",\"order_status\":\"success\",\"order_contract_perspective\":\"PARTY_YI\",\"order_contract_file_path\":[\"https://...\"],\"audit_result\":[...]}","is_finish":true,...}

错误示例:

event: error
data: {"code":"FILE_TYPE_NOT_ALLOWED","message":"仅支持图片格式: jpg/jpeg/png/gif/webp/bmp"}

常见错误还包括文件数量/大小超限、api_key 无效、积分不足。

生产调用示例(推荐)

JSON(链接)

curl -N -s -X POST "https://dyinsight.cn/api/v1/skills/contract/audit" \
  -H "Content-Type: application/json" \
  -d '{
    "api_key": "YOUR_API_KEY",
    "contract_perspective": "PARTY_JIA",
    "file_urls": "https://example.com/contract.pdf"
  }'

Multipart(文件上传,含多文件示例)

curl -N -s -X POST "https://dyinsight.cn/api/v1/skills/contract/audit" \
  -F "api_key=YOUR_API_KEY" \
  -F "contract_perspective=PARTY_YI" \
  -F "files=@/path/to/file1.png" \
  -F "files=@/path/to/file2.png"

提示词建议(对话式产品)

  • “用 contract-audit-stream,甲方视角,文件:<url>,流式返回审核结果。”
  • “用 contract-audit-stream,乙方视角,上传附件中的合同,流式返回审核结果(≤5 个,总 ≤5MB)。”
  • 可附加要求:“只输出高风险条款并解释原因。”

配置与调用前置检查 (Pre-flight Check)

  • 在同目录 config.json 配置 api_key
  • 🚨 AI 调用拦截指令:在向后端发起任何真实的审核请求前,AI 必须先读取本目录下的 config.json。如果发现 api_key 的值为空,或者仍然是默认的 "YOUR_API_KEY_HERE",请立即打断流程,停止发起网络请求,并友善地提示用户:“检测到您尚未配置 api_key,请先在 skills/contract-audit-stream/config.json 中填入真实的 API Key 后再试。”

目录

contract-audit-stream/
├── README.md
├── SKILL.md
└── config.json

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…