Skillv1.0.0

ClawScan security

机关公文排版skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 13, 2026, 3:34 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: This skill is coherent with its stated purpose (automatically formatting Word documents), does not request secrets or network access, but contains minor implementation issues (a table-processing bug and font availability assumptions) you should review before use.
Guidance: This skill appears to do what it says: format .docx files locally using python-docx. Before installing/using it: 1) Install python3 and python-docx in a controlled environment (virtualenv) and test on non-sensitive sample documents. 2) Be aware the script assumes several Chinese fonts; if fonts are missing the output may be incorrect (references mention halting on missing fonts but the script doesn't enforce that). 3) The script contains a bug in the table formatting loop (uses an undefined variable row_index) that can cause a runtime error — you may need to fix that or avoid documents with tables until patched. 4) The SKILL.md example path may not match your installation layout; run the bundled format_gw.py directly. No secrets or network access are requested, so main risks are functional (fonts, formatting) rather than data-exfiltration.

Purpose & Capability: okName/description match the included code: format_gw.py uses python-docx to adjust fonts, margins, headings, tables and save a new .docx. The required runtime (python3) and declared dependency (python-docx in SKILL.md) are consistent with this purpose.
Instruction Scope: noteRuntime instructions only run the formatter on an input .docx and produce an output .docx (no network calls, no env vars). Notes: SKILL.md shows an example invocation path (~/.npm-global/...), which may be incorrect depending on how the skill is installed; references/format-rules.md mentions stopping when fonts are missing but the code does not implement a font-availability check. The code only reads the provided input file and local reference file, so scope is limited to document processing.
Install Mechanism: okNo install spec (instruction-only with a bundled Python script). This minimizes install-time risk. The script requires the third-party python-docx package (not enforced by registry metadata), which is a common Python dependency.
Credentials: okNo environment variables, credentials, or config paths are requested or accessed. The skill does not attempt to read unrelated system files or network endpoints.
Persistence & Privilege: okalways is false and the skill does not request persistent or elevated privileges. It does not modify other skills or system-wide settings.