Back to skill
Skillv1.0.0
ClawScan security
Doc · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 3, 2026, 12:20 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are consistent with its stated purpose (editing and visually validating .docx files); it doesn't request credentials or contain hidden network endpoints.
- Guidance
- This skill is coherent and generally safe for working with DOCX files, but take ordinary cautions: run it in an isolated environment for untrusted documents (DOCM files can contain macros) and avoid opening unknown attachments with macros enabled. Install LibreOffice and Poppler from official repositories (brew/apt or vendor websites). The helper script invokes local commands (soffice, pdftoppm) and will write output files (it can overwrite existing output files), so review output paths and run on copies of originals if you need to preserve source files. If you cannot install the system tools in this environment, the skill will fall back to extracting text only — the SKILL.md explains how to proceed. Finally, the SKILL.md mentions a tool called "uv" for dependency management; if unfamiliar, ignore that line and use pip directly as shown.
Review Dimensions
- Purpose & Capability
- okName and description (DOCX editing and visual fidelity) match the included SKILL.md and the bundled scripts. The script's use of python-docx, LibreOffice (soffice), Poppler (pdftoppm), and pdf2image is expected for rendering and layout checks.
- Instruction Scope
- okSKILL.md stays on task: it describes installing python packages and system tools, running the bundled render_docx.py, converting DOCX→PDF→PNG, and cleaning up temp files. The instructions reference only the input DOCX, temporary and output dirs, and required render tools; they do not ask for unrelated files, environment variables, or external endpoints.
- Install Mechanism
- okThere is no automated install spec or remote download; the skill is instruction-only with a bundled helper script. Recommended system packages are installed via standard package managers (brew or apt) and Python packages via pip — no obscure or remote install URLs are used.
- Credentials
- okThe skill declares no environment variables or credentials. The runtime accesses only local tools (soffice, pdftoppm) and local filesystem paths described in the SKILL.md; this is proportional to the stated functionality.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. The included script operates on user-supplied files and temporary/output directories; it does not attempt to persist configuration, modify other skills, or change system-wide agent settings.