by 安全扫描
OpenClaw
安全
medium confidenceThe skill's code, documentation, and runtime instructions are consistent with a contract-risk review tool and do not request credentials or install external components — no obvious exfiltration or unrelated capabilities were observed in the reviewed portions, but the full source file was truncated so complete review is not possible here.
评估建议
This skill appears internally consistent for automated contract review: it analyzes provided contract text and returns risks, suggestions and legal citations without requesting credentials or performing installs. Before installing or using it: 1) Review the full index.js for any network or filesystem operations (the supplied file excerpt was truncated). 2) Avoid submitting contracts containing sensitive personal data until you confirm there is no telemetry or remote logging. 3) Note the pricing ...详细分析 ▾
✓ 用途与能力
Name, description, SKILL.md, README and manifest consistently describe a contract risk-reviewer. The JS implements many regex-based rules and produces suggestions/legal citations consistent with that purpose. Minor incoherence: pricing metadata differs between SKILL.md (monthly) and manifest (one-time); also the package includes an executable JS file even though there's no install spec (not necessarily harmful but worth noting).
✓ 指令范围
SKILL.md instructs the agent to accept contract text and produce a risk list, suggestions, and revised clauses — and the index.js logic shown performs those text analyses. The instructions do not ask the agent to read unrelated files, environment variables, or to transmit data externally. Note: many rule checks are role-sensitive (expects '甲方'/'乙方'); the manifest default 'my_role' = '通用' may reduce effectiveness unless the user supplies an explicit role.
✓ 安装机制
No install spec is provided (instruction-only), which reduces install-time risk. A code file (index.js) is included; the provided excerpt shows only local text processing (regex checks). No downloads, package installs, or external URLs were observed in the reviewed snippet.
✓ 凭证需求
The skill declares no required environment variables, no credentials, and no config paths. The runtime behavior visible in the source performs local text analysis and references Chinese statutory citations — the environment/credential access requested is proportionate to the stated purpose.
✓ 持久化与权限
always is false (default), and there is no indication the skill modifies other skills or requests permanent elevated privileges. Autonomous invocation is enabled by default but not combined with other concerning indicators.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/15
付费技能首发
● 无害
安装命令
点击复制官方npx clawhub@latest install contract-risk-reviewer
镜像加速npx clawhub@latest install contract-risk-reviewer --registry https://cn.longxiaskill.com镜像同步中
技能文档
专业级合同风险审查工具,自动识别 20+ 类常见风险条款,给出修改建议和法律依据。
触发条件
当用户需要:
- 审查合同文本中的风险条款
- 识别权责不对等、违约模糊等常见问题
- 获取修改建议和法律依据
执行流程
- 接收用户输入的合同文本
- 逐条扫描识别风险类别:
- 对每个风险点给出:风险等级、修改建议、法律依据
- 生成完整审查报告
输出格式
- 风险清单(按严重程度排序)
- 逐条修改建议
- 法律依据引用
- 修订后合同文本
注意事项
- 本工具提供风险参考,不替代正式法律意见
- 建议重大合同咨询专业律师