ClawHub

contract audit

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed connector for sending user-selected contracts to dyinsight.cn for remote audit, but users should treat uploaded contracts and the API key as sensitive.

Install only if you trust dyinsight.cn and are authorized to share the contracts being reviewed. Avoid uploading highly confidential or privileged contracts unless your organization approves it, redact unnecessary sensitive data where possible, and keep config.json private because it contains an API key.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README instructs users to submit contracts by public URL or file upload to an external domain, but it does not clearly warn that sensitive legal documents and their contents will be transmitted to a third-party service. Contracts commonly contain confidential commercial terms, personal data, and signatures, so omission of a prominent data-handling warning can lead to unintended disclosure and privacy/compliance risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs users to upload contracts and transmit an API key to a third-party backend, but it does not clearly disclose the privacy, confidentiality, retention, or cross-boundary transmission risks of sending sensitive legal documents off-platform. Because contracts often contain highly sensitive business and personal data, omission of these warnings can lead to unintended disclosure and unsafe use in contexts where users assume local-only processing.

External Transmission

Medium
Category
Data Exfiltration
Content
### JSON(链接)

```bash
curl -N -s -X POST "https://dyinsight.cn/api/v1/skills/contract/audit" \
  -H "Content-Type: application/json" \
  -d '{
    "api_key": "YOUR_API_KEY",
Confidence
90% confidence
Finding
curl -N -s -X POST "https://dyinsight.cn/api/v1/skills/contract/audit" \ -H "Content-Type: application/json" \ -d

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal