ClawHub
Back to skill

Security audit

合同风险审查虾

Security checks across malware telemetry and agentic risk

Overview

This is a Chinese contract-review guidance skill made of markdown reference files, with no hidden code or automatic data transfer found.

Install only if you are comfortable giving the agent contract text or files to review. Treat contracts as confidential, confirm you are authorized before batch-scanning any repository, and separately review any notification or compliance-monitoring integrations before using them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list includes broad everyday-language phrases such as “帮我看看这份合同” and “这份合同有没有坑,” which can cause the skill to activate on loosely related user requests without clear confirmation. In a skill that analyzes uploaded legal documents, unintended activation increases the chance of processing sensitive contract data or steering users into legal-risk review workflows when they did not explicitly request them.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly handles uploaded contracts, compares against internal templates, and batch-scans historical contract repositories, but it provides no privacy notice, data minimization guidance, retention limits, or access-control expectations. Because contracts commonly contain confidential business terms, personal data, and privileged legal information, this omission creates a real risk of unauthorized exposure, over-collection, or unsafe downstream use of sensitive documents.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.