Review Business Requirement Document Skill
PassAudited by ClawScan on May 1, 2026.
Overview
This skill is coherent for reviewing a user-provided Word BRD, but users should notice that it runs a local Python pipeline, may install dependencies, and writes a JSON copy of paragraph text.
This appears safe for its stated purpose if you intend to review a DOCX BRD locally. Before installing or using it, be comfortable running the bundled Python script, install dependencies in a controlled environment if needed, and remember that the generated review JSON may contain a copy of the BRD's paragraph text.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill will execute local Python code to read the source DOCX and create review artifacts.
The skill's normal workflow runs a bundled Python pipeline. This is central to producing Word-native comments and tracked changes, and the commands are explicit and user-directed.
python scripts/brd_review_pipeline.py init-review ... python scripts/brd_review_pipeline.py materialize ...
Run it only from the installed skill directory you intended to use, and review the generated files before sharing them.
Installing these packages can add external code to the local Python environment.
The dependency setup uses unpinned third-party Python packages. That is purpose-aligned for DOCX/XML processing, but package provenance and version drift are worth noticing.
python -m pip install python-docx lxml
Use a virtual environment or trusted package index, and pin/approve versions if your organization requires reproducible dependencies.
Confidential requirements may be duplicated into a separate JSON file in addition to the reviewed DOCX.
The generated review JSON stores each extracted paragraph's visible text and writes it to disk, creating a persistent copy of potentially sensitive BRD content.
"source_text": text, ... path.write_text(json.dumps(payload, indent=2, ensure_ascii=True) + "\n", encoding="utf-8")
Use an appropriate private folder for sensitive BRDs and delete or protect the intermediate review JSON when it is no longer needed.