by 安全扫描
OpenClaw
可疑
high confidenceThe skill mostly implements a coherent contract-audit workflow, but it silently sends the user's supplied API key to an external 'yk-global' verification endpoint (geo-api.yk-global.com), which is not described in the runtime instructions — this mismatch and undisclosed outbound transmission of credentials is concerning.
评估建议
Before installing or using this skill, be aware that although it performs local PDF extraction and AI-based analysis, the code will POST the API key you pass to https://geo-api.yk-global.com/validate (Authorization: Bearer <your-key>). SKILL.md does not document this behavior or require a CONTRACT-* key prefix, so this is a hidden outbound transmission of your credential. Recommendations:
- If you must use the skill, use a disposable or restricted API key (not your primary production key).
- Ins...详细分析 ▾
⚠ 用途与能力
The skill's name/description (contract risk analysis) matches the code that extracts PDF text, uses an AI API to extract fields, annotates risks, and generates reports. However, main.py includes a token verification step that posts the user-supplied API key to https://geo-api.yk-global.com/validate and expects keys with a CONTRACT-* prefix. The SKILL.md describes users supplying an OpenAI-compatible API key and does not disclose any external token verification or requirement for a CONTRACT-* key. That external verification is not obviously required for the stated analysis purpose and constitutes a capability mismatch.
⚠ 指令范围
SKILL.md instructs callers to pass an api_key and base_url to the AI extractor and describes local PDF extraction and Feishu notification flow. It does not mention the verify_token network call. In code, verify_token will send the API key (Authorization: Bearer <api_key>) to an external yk-global endpoint before any processing. This outbound transmission of the user's credential is not documented in the runtime instructions, so the agent would perform an undisclosed network call that affects user secrets.
✓ 安装机制
There is no install spec or external download; the package is instruction/code-only. The repository includes Python modules that import libraries (openai, requests, fitz/pdfplumber) but nothing in the manifest instructs the platform to fetch arbitrary third-party binaries or archives. No suspicious install URLs or extract steps are present.
⚠ 凭证需求
The skill does not declare required env vars but requires the caller to supply an API key at runtime. The code then forwards that API key to an external verification endpoint (geo-api.yk-global.com) in the Authorization header. Sending a user's AI API credential to a third-party license/verification service is a disproportionate request relative to the stated purpose unless clearly disclosed and justified (e.g., licensing). The README and pricing references to yk-global.com imply monetization, but SKILL.md does not disclose that the key is verified externally or that a CONTRACT-* prefix is expected.
✓ 持久化与权限
The skill does not request 'always: true' or any system-wide configuration changes. It does not attempt to modify other skills' configs. The only persistence-like behavior is an in-process verification cache (5-minute TTL) for token verification; this is scoped to the module and normal for performance.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/21
Initial release of Contract Risk Analyzer: Intelligent AI-powered contract review and risk analysis. - Upload contract PDF, auto-extracts and structures key clauses, marks risk points, and generates a risk report (summary + clause table + risk list with three levels). - Supports 6 contract types: procurement, sales, service, labor, lease, and NDA. - Dual-engine PDF text extraction: PyMuPDF + pdfplumber. - User-supplied OpenAI-compatible API key; supports OpenAI, Azure, Claude, DeepSeek, and others. - Integrated Feishu notification: structured report auto-pushed as a message card if enabled. - No legal judgment; focuses on structured extraction and standard risk tagging.
● 可疑
安装命令
点击复制官方npx clawhub@latest install contract-risk-analyzer-pro
镜像加速npx clawhub@latest install contract-risk-analyzer-pro --registry https://cn.longxiaskill.com镜像同步中