Claude Legal Skill

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only contract review skill whose behavior matches its stated purpose, with privacy and optional external-tool cautions users should understand.

Install is reasonable for first-pass contract review, but treat contracts as sensitive. Use only documents you are authorized to submit, redact unnecessary confidential or personal data, prefer enterprise or no-training AI environments for privileged matters, verify any optional GitHub-installed redline tooling before running it, and have qualified counsel review important agreements.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README encourages users to feed contracts into AI tooling and to generate downstream redline deliverables, but it does not warn that contracts may contain confidential, privileged, trade-secret, or personal data. In a legal-review skill, that omission is security-relevant because users may upload sensitive agreements to third-party models or companion tools without understanding retention, training, or privilege-waiver risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal