Docxtpl
AdvisoryAudited by Static analysis on May 9, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed CSV could cause the agent to create or overwrite documents in unintended locations instead of only inside the requested output folder.
A value from the CSV file is used directly as part of the output path. If it contains '../' or an absolute path, generated files may be written outside the selected output directory; with --overwrite, existing files with matching .docx paths could be replaced.
base_name = row[args.id_column].strip()
output_path = out_dir / f"{base_name}{args.suffix}.docx"Sanitize batch filenames, reject absolute paths and path separators, resolve the final path, and enforce that it remains inside the chosen output directory before writing.
The installed package version may change over time, which can affect behavior or reproducibility.
The skill depends on installing an external Python package from the package ecosystem. This is disclosed and central to the skill, but no version pin is provided.
pip: docxtpl ... pip install docxtpl # For subdocuments support: pip install "docxtpl[subdoc]"
Install from a trusted package index and consider pinning a known-good docxtpl version for repeatable use.