Docling
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is a coherent instruction-only wrapper for the docling CLI; the main things to notice are that it relies on an external CLI install and will fetch or parse documents into local output files.
Before installing, make sure the `docling` CLI you install is from a trusted source. Use temporary output directories, clean up parsed files after use, and do not enable remote-service or external-plugin options unless you intentionally trust that workflow.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the wrong or compromised CLI package is installed, the agent would be running that local tool when parsing documents.
The skill depends on a separately installed external CLI/package rather than reviewed bundled code. This is central to the skill's purpose, but users should verify they are installing the intended package.
`docling` CLI must be installed (e.g., via `pipx install docling`)
Install docling from a trusted source, consider pinning a known-good version, and keep it updated through normal package-management practices.
The agent may create local files while processing URLs or documents, and those files can contain extracted document text.
The skill directs the agent to invoke a local CLI that fetches URL content and writes parsed output files. This is expected for document extraction and is scoped by the recommended temporary output directory.
docling "<URL>" --from html --to text --output /tmp/docling_out
Use controlled temporary output directories, avoid parsing untrusted sensitive documents unnecessarily, and follow the skill's cleanup guidance after reading the output.