bruce-doc-converter-skill
AdvisoryAudited by Static analysis on May 7, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may execute third-party package code on the local machine.
The skill relies on installing an external package that is not bundled with the reviewed artifacts and is not version-pinned.
pipx install bruce-doc-converter ... uv tool install bruce-doc-converter ... pip install --user bruce-doc-converter
Install it only from a trusted package source, prefer an isolated environment such as pipx or a venv, and pin or verify the package version when possible.
If the CLI output is unexpected or compromised, the agent could run a local command the user did not explicitly approve.
This tells the agent to execute a command supplied in the CLI's JSON response, but the skill does not whitelist the allowed command or require user confirmation.
If Markdown to Word returns `DEPENDENCY_INSTALL_REQUIRED`, run `next_command` when present, otherwise run `bdc setup-node`, then retry.
Only run known setup commands such as `bdc setup-node`, validate any `next_command` before execution, and ask the user before running dynamically supplied commands.
Private document contents may become visible to the agent during conversion and analysis.
The skill intentionally places converted document contents into the agent's working context so they can be read or analyzed.
Office/PDF inputs include `markdown_content` for direct analysis.
Use the skill only on documents you are comfortable having the agent read, and avoid broad batch conversion of sensitive folders.