legal:review-contract — Contract Review Against Playbook

legal:review-contract — Contract Review Against Playbook

If you see unfamiliar placeholders or need to check which tools are connected, see CONNECTORS.md.

Review a counterparty's B2B contract against the organization's negotiation playbook. Analyze clauses, flag deviations, generate redlines with fallback positions, and provide business-impact analysis.

Important: This assists with legal workflow but is not legal advice. A qualified attorney must review before reliance.

When to use this skill vs. an adjacent one

If the user's request straddles two skills (e.g., "review and send for signature"), run legal:review-contract first, then hand off.

Invocation

legal:review-contract <contract file or URL>

Review the contract: @$1

Workflow

Step 1: Accept the contract

Accept PDF, DOCX, URL (CLM, Box, Egnyte, SharePoint), or pasted text. If none provided, prompt for one.

Step 2: Gather context (one short turn)

Ask for:

1. Side: vendor/supplier, customer/buyer, licensor, licensee, partner
2. Deadline
3. Focus areas (e.g., "data protection critical", "IP ownership is the key issue")
4. Deal context: size, strategic importance, existing relationship, regulated data involved (PII, PHI, PCI), counterparty location

If partial context, proceed and note assumptions.

Step 3: Load the playbook

Look for legal.local.md or similar in local settings.

The playbook should define standard positions, acceptable ranges, and escalation triggers.

Playbook coverage tiers:

• Full playbook: all major clause categories defined → cite the playbook position for every clause and flag any deviation.
• Partial playbook: some clauses defined → use playbook positions for covered clauses (cite explicitly), and use commercial-standard defaults for the rest (label as "DEFAULT" in the output so the user can see where the playbook is silent).
• No playbook: tell the user, then offer to (a) bootstrap one by walking through positions for the top 8 clauses, or (b) proceed entirely on commercial-standard defaults — labeled clearly throughout.

For every clause, the output must show one of: [Playbook §X.Y] (cite section), [DEFAULT — market standard], or [Playbook silent — using DEFAULT]. Never silently substitute a default for a playbook position. Every redline must end with the citation that justifies it (see worked example in references/REFERENCE.md).

Step 4: Clause-by-clause analysis

1. Identify contract type (SaaS, services, license, partnership, procurement, contractor).
2. Determine which side the user is on — this changes which protections matter.
3. Read the entire contract before flagging — clauses interact (e.g., uncapped indemnity may be partially mitigated by a broad LoL cap).
4. Analyze each material clause against the playbook.
5. Assess overall risk allocation.

Material clause checklist (extend if the contract type warrants):

For deeper per-clause guidance (acceptable ranges, common counterparty pushback, sample fallbacks) and a fully worked SaaS-MSA review showing playbook-citation format end-to-end, see references/REFERENCE.md. Mirror that worked example's structure (clause read → playbook citation → deviation → severity → redline with citation → two fallbacks) for every YELLOW/RED finding you produce.

Step 5: Flag deviations (GREEN / YELLOW / RED)

• GREEN — Acceptable: Aligns with or beats the standard position. Note for awareness.
• YELLOW — Negotiate: Outside standard but within market range. Provide redline language, fallback position, and business impact of accepting as-is.
• RED — Escalate: Outside acceptable range, triggers an escalation criterion, or material risk. Provide why-it's-red, market-standard alternative, exposure estimate, and recommended escalation path (senior counsel / outside counsel / business decision-maker).

Cybersec-specific RED triggers (always escalate when present):

• Uncapped liability or general cap that swallows cyber incidents (no separate sub-cap)
• Personal data processed with no DPA offered
• PHI processed with no BAA offered
• Sub-processor blanket pre-authorization with no notification rights
• IP assignment that captures the user's pre-existing IP or open-source contributions
• Data residency that forces transfer out of contractually required region
• No right-to-audit / pen-test prohibition for a security-sensitive vendor

Cyber-exposure quantification matrix (run for any contract touching personal data or production systems):

Step A — Estimate floor incident cost:

Floor incident cost = records-at-risk × per-record baseline. Add forensic ($150K–$500K typical), notification + credit-monitoring (~$5–15/record), legal defense ($250K–$2M), business interruption.

Step B — Layer regulatory penalty exposure by jurisdiction (parallel, not exclusive):

Step C — Sub-cap erosion check:

Compute single-incident exposure ÷ proposed cyber sub-cap. If ratio > 0.5, the sub-cap is eroded by one incident with no headroom for a second. Flag RED and require: (a) sub-cap reset on annual basis OR (b) per-incident cap rather than aggregate OR (c) cyber-liability policy gap-filler.

Step D — Decision rule:

Step 6: Generate redlines

For every YELLOW and RED:

**Clause**: [Section reference and name]
**Current language**: "[exact quote]"
**Proposed redline**: "[specific replacement language — show inserts in **bold** and deletions in ~~strikethrough~~]"
**Rationale**: [1–2 sentences, suitable for sharing with counterparty's counsel]
**Priority**: [Must-have / Should-have / Nice-to-have]
**Fallback 1**: [first compromise position]
**Fallback 2**: [walk-away or escalation trigger]

Be specific (ready to insert), balanced (firm on critical, reasonable elsewhere), prioritized, and include at least one fallback for every RED so the negotiator never has to improvise live.

Reusable redline snippets (use as starting points, customize to the contract):

• Mutual liability cap: "Each party's aggregate liability under this Agreement shall not exceed the greater of (a) the fees paid or payable in the twelve (12) months preceding the event giving rise to the claim or (b) US$[X]."
• Cyber sub-cap carveout: "Notwithstanding the foregoing, each party's liability for breach of its data-protection or information-security obligations shall be capped at the greater of US$[Y] or [N]× the General Cap."
• DPA flow-down: "The parties shall execute the Data Processing Addendum attached as Exhibit [X] prior to any Processing of Personal Data. Sub-processors require [30] days prior written notice and the right to object."
• Right-to-audit: "Customer (or its independent auditor under NDA) may, no more than once per twelve (12) months on [30] days notice, audit Vendor's compliance with security and data-protection obligations."
• IP carveout: "Each party retains all right, title, and interest in its Pre-Existing IP and any Independently Developed IP. No license is granted except as expressly set forth herein."

Step 7: Business-impact summary

• Overall risk profile
• Top 3 issues
• Negotiation strategy: lead with Tier 1 must-haves, trade Tier 3 to win Tier 2, never concede Tier 1 without escalation
• Timeline considerations

Tier 1 (deal-breakers): uncapped/insufficient liability, missing DPA/BAA for regulated data, IP provisions that jeopardize core assets, terms that conflict with regulatory obligations. Tier 2 (strong preferences): cap adjustments within range, indemnification scope/mutuality, termination flexibility, audit rights. Tier 3 (concession candidates): preferred governing law (if alternative acceptable), notice periods, minor definitional improvements, insurance certificates.

Step 8: CLM routing (if connected)

If a CLM MCP is connected, recommend the approval workflow and routing path based on contract type and risk level. Otherwise skip.

Output format

## Contract Review Summary
Document | Parties | Your Side | Deadline | Review Basis (Playbook / Generic)

## Key Findings
[Top 3–5 issues with severity flags]

## Clause-by-Clause Analysis
### [Clause] — [GREEN/YELLOW/RED]
Contract says | Playbook position | Deviation | Business impact | Redline (if YELLOW/RED)

## Negotiation Strategy
[Approach, priorities, concessions]

## Next Steps
[Specific actions]

Notes

• Non-English contracts: ask whether the user wants translation or review in original.
• 50+ pages: offer to focus on the most material sections first, then complete review.
• Always remind the user to have qualified legal counsel review before relying on the analysis.
• If the document is actually a standalone NDA, stop and recommend legal:triage-nda. If it is the user's own customer-facing legal copy, recommend legal:legal-audit.