contract-review
Warn
Audited by Gen Agent Trust Hub on Feb 13, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill metadata references an external Model Context Protocol (MCP) server
@clawfu/mcp-skills. This represents an unverifiable dependency as the author 'ClawFu' is not in the trusted source list. Loading external MCP servers can grant the agent additional capabilities or tool access not explicitly defined in the skill markdown. - [PROMPT_INJECTION] (LOW): As a contract review tool, this skill is designed to ingest and process untrusted external data (legal contracts). This creates a surface for Indirect Prompt Injection where malicious instructions could be embedded in contract text to influence the agent's summary or risk assessment. However, the risk is mitigated as the skill does not currently demonstrate automated write or execution capabilities based on the provided file.
Audit Metadata