Services Agreement

Security checks across malware telemetry and agentic risk

Overview

This skill coherently helps generate services-agreement DOCX files and discloses its remote and local processing paths.

Before using the remote MCP path, decide whether the contract terms may be sent to openagreements.ai and shared back via a hosted download link. For confidential agreements, use the local CLI path, keep the pinned CLI version, enforce the filename and shell-safety rules, clean up temporary files, and review the DOCX before signing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The workflow instructs the agent to share a returned download URL for a generated agreement but provides no warning about whether the document contents are transmitted to a third-party service, how long the file remains accessible, or who can access the link. In a legal-contract skill, generated documents often contain sensitive personal, business, and payment terms, so exposing them via remote rendering without explicit user notice or access-control guidance creates a real privacy and confidentiality risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal