Services Agreement
v0.2.1Draft and fill services agreement templates — consulting contract, contractor agreement, SOW, statement of work, professional services agreement. Produces si...
⭐ 1· 436·0 current·0 all-time
bySteven Obiajulu@stevenobiajulu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (draft/fill services agreements) match the actual behavior: it either calls a hosted MCP (openagreements.ai) or a local CLI (open-agreements) to render templates. No unrelated env vars, binaries, or config paths are requested.
Instruction Scope
SKILL.md and template-filling-execution.md explicitly limit scope to template discovery, user interview, and rendering. They acknowledge the Local CLI will cause shell execution and provide explicit sanitization rules (filename regex, reject shell metacharacters, use mktemp + chmod, quoted heredoc, trap cleanup). Because this is instruction-only, the skill itself cannot enforce sanitization — the agent or user must implement the rules.
Install Mechanism
There is no install spec in the bundle (instruction-only). The README/CONNECTORS recommend either a hosted MCP or installing the open-agreements npm package; the skill also recommends pinning the CLI version. No downloads from untrusted URLs are included in the bundle.
Credentials
The skill declares no required environment variables or credentials. The remote path will transmit user-supplied agreement field values to openagreements.ai — this is appropriate for a hosted rendering service and the skill asks for explicit user confirmation before doing so.
Persistence & Privilege
always is false and the skill does not request persistent system privileges or modify other skills' configs. It instructs creating a per-run temp file with restrictive permissions and cleaning it up.
Assessment
This skill appears to do what it says: generate DOCX services-agreement templates via a hosted service or a local CLI. Before installing/using: (1) decide whether you’re comfortable sending contract data to openagreements.ai and get explicit user consent before doing so; (2) if you use the Local CLI path, ensure the agent enforces the sanitization rules (mktemp + chmod, filename regex, reject shell metacharacters, quoted heredoc, trap cleanup) because the skill cannot enforce them; (3) pin the open-agreements CLI version when installing (the SKILL.md recommends a specific version) and review rendered templates before signing. If you cannot trust the remote endpoint for confidentiality, prefer the Local CLI and verify the environment enforces the listed safeguards.Like a lobster shell, security has layers — review code before you run it.
latestvk97aymzvt5qby87dgcrtzscshh84hx8a
License
MIT-0
Free to use, modify, and redistribute. No attribution required.