ClawHub

Use when user wants to review material forms for data sharing catalogs, field completeness, platform consistency, and issue-list output. Triggers include「材料审核」「共享清单审核」「检查文档审查」「平台对接核对」「编目一致性检查」.

v1.0.0

Use when user wants to review material forms for data sharing catalogs, field completeness, platform consistency, and issue-list output. Triggers include「材料审...

0· 202·0 current·0 all-time
byli.haojie@github7265
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, SKILL.md, reference docs, and the included Python audit script all align: they parse .docx submissions, apply field/rule checks, and produce structured output and issue lists. One inconsistency: the skill metadata declares a required binary (markdownlint-cli2) but neither the SKILL.md nor the included script references or needs this linter. This is likely an unnecessary/declarative requirement rather than malicious.
Instruction Scope
SKILL.md explicitly instructs the agent to run the bundled script against user-supplied .docx files and templates and to produce local output files (structured_data.json, issues.json, audit_report.md). The instructions do not ask for unrelated system files, extra environment variables, or network endpoints. The script parses document contents (including fields like DB IP/password if present in the document) — which is expected for form auditing but means sensitive values embedded in submissions will be read and included in outputs.
Install Mechanism
There is no install spec (the package is run directly), which is low risk. The skill bundles a Python script (no external downloads). The only minor concern is the declared required binary (markdownlint-cli2) without an install path or use; absence of an install spec means the agent may fail if that binary is expected but missing, but this is a usability/metadata issue, not an active risk.
Credentials
The skill does not request environment variables or external credentials. The script extracts information from user-supplied documents (which can include sensitive fields such as database IPs, ports, or password notes); this is proportionate to the stated purpose but users should avoid feeding documents containing secrets they don't want processed or stored.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges or modify other skills. It writes output to a user-specified output directory only. No signs of it attempting to alter agent configuration or persist beyond its expected output files.
Assessment
This skill appears to do what it says: it parses .docx submission files and produces issue lists and structured data locally. Before using it: (1) Review the bundled script if you can (it runs locally and in the provided fragment has no network calls). (2) Do not process documents that contain live credentials or secrets you don't want extracted — the script will parse fields like DB IP/port/password notes if those are present in the submission. (3) Note the metadata lists markdownlint-cli2 though the skill doesn't use it; that may be a harmless metadata artifact but could cause an expectation of that tool being available. If you have any doubt, run the script in an isolated environment or inspect the rest of the script (the provided file was truncated in the manifest) to confirm there are no unexpected network operations.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a8at48kkf2ks10bky7bdqd582s6tc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📋 Clawdis
Any binmarkdownlint-cli2

Comments