Docxtpl
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its Word-document generation purpose, but its batch helper can let CSV data write output files outside the chosen folder.
Use this skill cautiously for batch jobs: only process trusted CSV/TSV files, avoid row IDs that contain slashes or path characters, and check generated paths before enabling overwrite. Consider pinning the docxtpl package version and using autoescape when rendering untrusted text into templates.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed CSV could cause the agent to create or overwrite documents in unintended locations instead of only inside the requested output folder.
A value from the CSV file is used directly as part of the output path. If it contains '../' or an absolute path, generated files may be written outside the selected output directory; with --overwrite, existing files with matching .docx paths could be replaced.
base_name = row[args.id_column].strip()
output_path = out_dir / f"{base_name}{args.suffix}.docx"Sanitize batch filenames, reject absolute paths and path separators, resolve the final path, and enforce that it remains inside the chosen output directory before writing.
The installed package version may change over time, which can affect behavior or reproducibility.
The skill depends on installing an external Python package from the package ecosystem. This is disclosed and central to the skill, but no version pin is provided.
pip: docxtpl ... pip install docxtpl # For subdocuments support: pip install "docxtpl[subdoc]"
Install from a trusted package index and consider pinning a known-good docxtpl version for repeatable use.