DocuClaw
Security checks across static analysis, malware telemetry, and agentic risk
Overview
DocuClaw is purpose-aligned with document processing, but its artifacts make broad sensitive-document and external-sync claims while also promising local-only privacy despite naming a cloud AI provider.
Review this skill carefully before use. It is designed for sensitive documents, so only use it if you understand where the documents are stored, whether any cloud AI provider such as OpenAI is enabled, and whether sync actions to calendar or accounting tools require your approval.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may process invoices, contracts, receipts, or emails believing they stay local, while some configurations could send document images or contents to a cloud AI service.
The documentation promises local-only handling of private documents while also naming OpenAI Vision, which is normally a cloud provider. That contradiction could cause users to trust privacy guarantees that may not hold.
**100% Local**: Zero cloud dependency. Your private data never leaves your hardware. ... Supports Ollama, OpenAI Vision, or any multimodal model
Clearly separate local-only modes from cloud-provider modes, warn before any cloud use, and require explicit user selection before sending documents to external AI services.
Sensitive documents may become part of a persistent searchable context that future agent tasks can retrieve or over-trust without clear user controls.
The skill describes broad persistent archiving and retrieval over highly sensitive personal, financial, and legal documents, but does not define scope, exclusions, retention, or reuse boundaries.
Maintain a local-first, GDPR/GoBD compliant archive of all physical and digital mail. ... allowing AI agents to perform RAG ... over your local document archive
Define an explicit vault path, input allowlist, exclusion rules, retention policy, and per-query approval or redaction behavior for sensitive archived material.
Incorrect extracted dates, amounts, taxes, or contract terms could be propagated into important business or financial tools without a clearly described review step.
Syncing AI-extracted document data to calendar or accounting systems can mutate external records, but the artifacts do not specify user confirmation, validation, destination scope, or rollback.
**Action**: The extracted data is synced to your calendar or accounting tool.
Require explicit user approval before any sync, show the extracted fields and destination, and document how to undo or correct synced records.
Users would need to obtain or trust an external `docuclaw` command that was not included in this review.
The skill references a command, but the provided package has no install spec or code files, so the reviewed artifacts do not establish what implementation would run.
Run `docuclaw process` to trigger AI extraction.
Provide reviewed install instructions, source location, and command implementation, or clarify that the command is only an example and not supplied by this skill.