vendor-agreement-review

SUSPICIOUS: the core legal-review behavior is coherent and largely proportionate, with good user-confirmation gates for external actions. The main risk is not overt malware but unverifiable transitive trust: the skill delegates to other skills and remote MCP integrations without specifying the exact servers, publishers, or data endpoints that will receive privileged legal content.