ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Office Docs

v1.0.0

Process and manage Microsoft Word (.docx) and WPS documents for creation, editing, format conversion, text extraction, analysis, troubleshooting, and batch o...

0· 148·2 current·2 all-time
by@baiyunrei2025
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description (docx/WPS processing: create, edit, convert, extract) align with the included instructions (python-docx examples, pandoc/libreoffice/unoconv, exiftool). However some referenced libraries appear incorrect or mismatched for the stated purpose (e.g., 'pywps' is likely not a WPS Office document manipulation library), and the skill references several files (CONVERSION.md, ANALYSIS.md, TROUBLESHOOTING.md, CREATION.md, EDITING.md) that are not present in the package. These discrepancies suggest sloppy packaging or incorrect dependencies.
Instruction Scope
SKILL.md contains explicit code and shell commands that stay within the scope of document processing (reading/writing .docx, batch conversion, metadata extraction). No external network endpoints or secret access are requested. Concerns: the included references/TEXT_EXTRACTION.md is truncated and contains an apparent bug/incomplete code snippet, and SKILL.md points to multiple missing reference docs — this may lead to unpredictable behavior if an agent follows incomplete instructions.
Install Mechanism
This is an instruction-only skill with no install spec or bundled executables, so nothing will be written to disk by an installer. The skill recommends using third-party tools (python-docx, pandoc, libreoffice, exiftool) but does not install them itself — appropriate for an instruction-only skill.
Credentials
No environment variables, credentials, or config paths are requested. The listed operations only require local tools and libraries, which is proportionate to the claimed functionality.
Persistence & Privilege
The skill is not always-enabled and does not request persistent privileges or self-modifying configuration. Autonomous invocation is allowed by platform default but is not combined with other high-risk factors here.
What to consider before installing
This skill appears to be a straightforward document-processing guide, but the package is incomplete and has some likely mistakes. Before installing or using it: 1) Do not run batch conversion commands on sensitive system directories — test on a safe folder first. 2) Verify the required tools (python-docx, pandoc, libreoffice, exiftool) are the intended packages and that you install them from official sources. 3) Ask the author or maintainer for the missing reference files (CONVERSION.md, TROUBLESHOOTING.md, etc.) and a corrected TEXT_EXTRACTION.md (the included file is truncated and contains an incomplete code fragment). 4) Confirm whether the 'pywps' mention is correct for WPS Office support; if not, don't rely on the skill for WPS files. Because of these inconsistencies, treat the skill as unreliable until the documentation and dependencies are clarified.

Like a lobster shell, security has layers — review code before you run it.

latestvk97acadg5xyfjhm58jp06t78c1833yhq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments