ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nda

v0.2.2

Draft and fill NDA templates — mutual NDA, one-way NDA, confidentiality agreement. Produces signable DOCX files from Common Paper and Bonterms standard forms...

0· 405·1 current·1 all-time
bySteven Obiajulu@stevenobiajulu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (draft and fill NDAs, produce DOCX) match the content of SKILL.md and CONNECTORS.md. The only external dependencies referenced (openagreements.ai MCP or the open-agreements npm CLI) are appropriate for template rendering and DOCX generation.
Instruction Scope
SKILL.md explicitly documents two execution paths: Remote MCP (server-side rendering) and Local CLI (shell invocation). It does not instruct the agent to read unrelated files or credentials, but the Local CLI path requires strict shell-parameter sanitization, secure temp file handling, heredoc quoting, and cleanup — responsibilities the skill delegates to the agent. If the agent does not enforce these rules, there is risk of path traversal or shell injection.
Install Mechanism
Instruction-only skill; no install spec or downloads in the bundle. It recommends installing a public npm package (open-agreements) and even advises pinning a specific version. This is low-risk and proportional to the stated functionality.
Credentials
The skill requires no environment variables or credentials. However, the Remote MCP path will transmit NDA field data (company names, purposes, dates, etc.) to openagreements.ai — this is functionally justified but constitutes third-party data disclosure and therefore requires explicit, informed user consent before use.
Persistence & Privilege
No elevated privileges requested, no persistent presence (always: false), and no modifications to other skills or system-wide agent configs are requested by the instruction-only bundle.
Assessment
This skill appears coherent for creating NDAs, but pay attention to two practical risks before using it: (1) Remote MCP will send the NDA content to openagreements.ai — only use that path after explicitly telling the user and obtaining informed consent, and avoid sending highly sensitive secrets. (2) If you use the Local CLI path, ensure the agent (or the human operator) strictly enforces the documented sanitization rules: only allow output filenames matching ^[A-Za-z0-9_-]{1,64}\.docx$, reject shell metacharacters and control characters in field values, create a per-run temp file with mktemp + chmod 600, use quoted heredocs when writing values, set a trap to remove temp files, and pin the CLI version (e.g., npm install -g open-agreements@0.7.5). Always preview and manually review the generated document before signing. If you cannot verify that the agent will enforce these safeguards, prefer the preview-only path or perform fills locally yourself with the pinned CLI.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ammqn979xevfcg53re2fkx584hwfs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments