Cloud Service Agreement
v0.2.1Draft and fill SaaS agreement templates — cloud contract, MSA, order form, software license, pilot agreement, design partner agreement. Includes variants wit...
⭐ 0· 18·0 current·0 all-time
bySteven Obiajulu@stevenobiajulu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (draft and fill SaaS agreements) match what the SKILL.md and CONNECTORS.md describe: template selection, field collection, and DOCX rendering via either the Remote MCP (openagreements.ai) or a locally installed open-agreements CLI. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
Instructions are scoped to template discovery, user interview, and DOCX rendering. The SKILL.md explicitly documents shell commands used with the Local CLI and includes mandatory sanitization rules (filename regex, reject shell metacharacters, fixed temp path, quoted heredoc, control-character rejection, template-name validation). This is appropriate, but enforcement is left to the agent/user — the skill is instruction-only and cannot itself sanitize or enforce these requirements.
Install Mechanism
No install spec is included (instruction-only), so nothing is written to disk by the skill. The README references a known npm package (open-agreements) and recommends pinning a specific version; that is reasonable. No downloads from arbitrary URLs or extract steps are present.
Credentials
The skill declares no required environment variables, credentials, or config paths. The only external interaction is an optional hosted MCP at openagreements.ai; that is coherent with the stated purpose and explicitly called out for user consent.
Persistence & Privilege
The skill does not request permanent/always-on inclusion, does not modify other skills or system-wide settings, and is user-invocable only. It documents cleanup of the temp JSON file but does not itself create persistent privileges.
Assessment
This skill appears coherent and appropriate for filling SaaS agreement templates, but pay attention to two practical safety points before using it: (1) Remote MCP: using the hosted path (openagreements.ai) will send all filled field values (provider/customer names, pricing, scope, terms, etc.) to that service — confirm with users before sharing any sensitive data, and avoid including secrets (passwords, API keys, private attachments) in template fields. (2) Local CLI: the SKILL.md prescribes strict sanitization of filenames and field values and writing a temp file at /tmp/oa-values.json; ensure your agent or environment enforces the quoted-heredoc, metacharacter rejection, filename regex, and removes the temp file after use. Also follow the recommendation to pin the CLI (e.g., npm install -g open-agreements@0.7.5) and always review generated templates before signing. If you need stronger guarantees about data residency, prefer the Local CLI (offline) path and validate that whatever agent executes these instructions actually enforces the sanitization rules.Like a lobster shell, security has layers — review code before you run it.
latestvk97158a7bbgb60kmk3fwg0y2ed84gn1z
License
MIT-0
Free to use, modify, and redistribute. No attribution required.