Back to skill

Security audit

Contract Reviewer Wudi

Security checks across malware telemetry and agentic risk

Overview

This looks like a real contract-review skill, but it needs Review because it can modify legal documents and the local Python environment without clear enough user control.

Install only in a controlled workspace or virtual environment, preserve original contracts, preinstall reviewed OCR dependencies instead of allowing runtime pip installs, avoid untrusted or unusual filenames until shell invocation is fixed, and have a qualified legal reviewer check the generated revisions and clean copies before relying on them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_cmd(cmd, cwd=None):
    """执行 shell 命令"""
    result = subprocess.run(
        cmd, shell=True, capture_output=True, text=True, cwd=cwd
    )
    if result.returncode != 0:
Confidence
98% confidence
Finding
result = subprocess.run( cmd, shell=True, capture_output=True, text=True, cwd=cwd )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
shutil.copy(revised_path, tmp_input)
                # 使用 LibreOffice 转换为 PDF 再转回 docx(会丢失修订痕迹)
                cmd = f'libreoffice --headless --convert-to docx --outdir "{tmpdir}" "{tmp_input}" 2>/dev/null'
                result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
                if result.returncode == 0:
                    converted = Path(tmpdir) / tmp_input.stem.replace('-审查版', '') / '.docx'
                    if converted.exists():
Confidence
97% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return True
    print(f"[安装] 缺少依赖: {', '.join(deps)}")
    try:
        subprocess.run([sys.executable, '-m', 'pip', 'install', '-q'] + deps,
                       check=True)
        print("[安装] 依赖安装完成")
        return True
Confidence
96% confidence
Finding
subprocess.run([sys.executable, '-m', 'pip', 'install', '-q'] + deps, check=True)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
该示例建议“仲裁与诉讼可选择”,与前文第3.2节“争议解决是否唯一确定”的审核原则直接冲突。若审核代理按该示例生成条款,可能产出无效或高度不确定的争议解决约定,导致管辖争议、程序拖延,甚至使当事人无法按预期主张权利;在合同审查技能场景中,这类方法论冲突会被系统性复用,因此危险性高于普通文档不一致。

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
`process_unpacked_dir` modifies `input_dir/word/document.xml` in place before checking whether the caller intended to preserve the source and copy results elsewhere. This can silently destroy original review artifacts in a legal-document workflow, causing integrity and auditability problems and making recovery impossible if the input directory was meant to be read-only source data.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Auto-installing missing dependencies via pip is behavior beyond the stated OCR purpose and causes the module to fetch and install code from external package sources during normal operation. That creates a supply-chain and environment-tampering risk, especially in agent or automation environments where execution may occur unattended and with elevated filesystem or network access.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill emphasizes directly writing revisions into Word documents but does not warn whether it edits the original file in place, creates backups, or preserves document integrity. In a legal workflow, silent modification of source contracts can overwrite evidence, destroy clean originals, or cause users to submit unintended edits.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The detection keywords are broad generic M&A terms such as “收购”, “并购”, and “交割”, with no contextual constraints or disambiguation logic. In a contract-review skill, this can cause misclassification of unrelated documents, leading the system to apply the wrong review checklist, risk library, and legal guidance, which can produce materially inaccurate legal analysis.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The code removes comments, accepts revisions, deletes `comments.xml`, and rewrites relationship/content files without any confirmation, backup, or irreversible-change warning. In this contract-review context, that can erase evidence of negotiation history, reviewer intent, and legal redlines, which is operationally and compliance-sensitive even if it is not a classic exploit primitive.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script installs missing packages without any explicit consent, warning, or dry-run behavior, so simply processing a PDF can modify the host Python environment. In managed or sensitive environments, silent package installation can break reproducibility, bypass change controls, and expose the system to malicious or substituted packages from package indexes.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.