ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Contract Review Skill

v1.0.4

AI-powered contract review that identifies risky clauses, missing provisions, and compliance issues in legal documents for informed decision-making.

0· 57·0 current·0 all-time
by@534422530

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for 534422530/contract-review-skill.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Contract Review Skill" (534422530/contract-review-skill) from ClawHub.
Skill page: https://clawhub.ai/534422530/contract-review-skill
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install contract-review-skill

ClawHub CLI

Package manager switcher

npx clawhub@latest install contract-review-skill
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Most code (review_engine.py, contract_reviewer.py, legal_patterns/*.json) is coherent with an on‑device contract review skill. However, batch_reviewer imports an external SubAgentManager (an undeclared dependency) and fix_json.py performs an unconditional write to an absolute user path (C:/Users/pc/.laosi/...), which is not mentioned in the SKILL.md or README and is disproportionate to the stated purpose.
!
Instruction Scope
SKILL.md is minimal and claims local processing only. The codebase does not contact external endpoints, but fix_json.py will write a JSON file into a hardcoded user configuration path. That file-write behavior is not documented in SKILL.md/README and represents scope creep (modifying user home folders). batch_reviewer also expects a SubAgent system and will create/modify SubAgent state (not documented).
Install Mechanism
There is no install spec (instruction-only), which lowers risk, but the package contains executable Python scripts. There are no network downloads in install, but the code expects a separate SubAgent subsystem (imported from parent directories) which is not listed as a dependency — this will cause runtime failures or hidden coupling if SubAgent is present on host.
Credentials
The skill requests no credentials or environment variables (good). There are no network endpoints or secrets required. However, the code writes into a hardcoded user directory (C:/Users/pc/.laosi/...) which may overwrite or create files in user configuration locations — this is filesystem access but does not request credentials.
Persistence & Privilege
The skill is not set to always:true and does not request elevated privileges. Still, fix_json.py (and batch results) write to a .laosi config-like directory in the user's home; that means the package will modify user files on execution. The skill also references a SubAgent system which, if present, could give it broader agent-level effects — but autonomous invocation is default and not itself flagged.
What to consider before installing
This package contains plausible local contract-review code, but exercise caution before installing or running it: - Do not run fix_json.py as-is. It writes to a hardcoded path (C:/Users/pc/.laosi/skills/contract-review-skill/...), which could overwrite files or create unexpected config in your home directory. If you need the functionality, inspect and modify the path to a safe location (or remove the script). - The batch_reviewer imports a SubAgentManager from a parent path; this dependency is not declared. Confirm you understand what your SubAgent system is and whether you want this skill to create/manage agents. - There are several incoherences/bugs (e.g., the score-to-level mapping appears inverted in batch_reviewer/contract_reviewer). Expect to review the code before trusting its outputs. - Source/homepage metadata is inconsistent (registry shows unknown source; SKILL.md references a GitHub URL). Prefer skills with a clear upstream repository and author identity. - Run the skill in an isolated environment (container or VM) and back up any .laosi or related config directories before first run. Review/grep the code for any other hardcoded paths or writes. If you want, I can point to the exact lines that write the hardcoded path and suggest a safer replacement, or produce a checklist for code review before installation.

Like a lobster shell, security has layers — review code before you run it.

latestvk9767dfr9s8mmbkm78vxpaq5xh85mx64
57downloads
0stars
5versions
Updated 18h ago
v1.0.4
MIT-0
@534422530
latest
Download

name: laosi-contract-review-skill version: 1.0.0 description: AI-powered contract review skill for OpenClaw agents - identifies risky clauses, missing provisions, and compliance issues in legal documents author: laosi homepage: https://github.com/laosi/contract-review-skill tags: [legal, contract, review, compliance, risk-assessment, document-analysis]

Comments

Loading comments...