Doccraft
PassAudited by ClawScan on May 1, 2026.
Overview
Doccraft appears to be a coherent document-drafting and Word-file editing skill, with expected local file and dependency risks users should scope carefully.
Install this if you want an agent to read project materials and draft or edit Word deliverables. Before using it, choose a narrow source folder, work on document copies, use trusted DOCX dependencies, and review all generated/redlined files before sharing or submitting them.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may alter Word documents or produce tracked-change versions; mistakes could affect official or business deliverables.
The skill is explicitly intended to modify or redline Word documents, including potentially important third-party or formal documents. This is expected for the purpose, but users should review changes carefully.
Edit or redline existing `.docx` files ... Default to tracked changes or comments for government, legal, academic, commercial, or third-party documents.
Work on copies, confirm the exact input and output files, and review tracked changes or comments before relying on the final document.
Running DOCX generation will execute code from the installed/resolved docx module, so an untrusted local package path could affect the environment.
DOCX generation loads a local or environment-specified Node module. That is purpose-aligned, but the skill does not pin or verify the external module in the provided artifacts.
if (process.env.SGDB_DOCX_MODULE) { candidates.push(process.env.SGDB_DOCX_MODULE); } candidates.push("docx");Use a trusted installation of the docx package, avoid pointing SGDB_DOCX_MODULE at untrusted paths, and prefer pinned dependencies in controlled workspaces.
If a broad folder is supplied, the agent may include unrelated private file paths or source details in working manifests and downstream drafting context.
The manifest helper recursively inventories user-specified files or directories, which can capture sensitive file names and project structure as working context.
parser.add_argument("inputs", nargs="+", help="Files or directories to scan") ... for root, dirnames, filenames in os.walk(path):Provide only the folders needed for the document, exclude unrelated private materials, and review generated manifests or section briefs before using them downstream.