Docxtpl
PassAudited by VirusTotal on May 9, 2026.
Overview
Type: OpenClaw Skill Name: docxtpl Version: 0.0.1 The docxtpl skill bundle is a legitimate wrapper for the python-docx-template library, providing tools to generate Word documents from Jinja2 templates. The included Python scripts (e.g., docxtpl-render.py, docxtpl-render-batch.py) and documentation (SKILL.md) are well-structured, follow standard practices for CLI utilities, and show no signs of malicious intent, data exfiltration, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed CSV could cause the agent to create or overwrite documents in unintended locations instead of only inside the requested output folder.
A value from the CSV file is used directly as part of the output path. If it contains '../' or an absolute path, generated files may be written outside the selected output directory; with --overwrite, existing files with matching .docx paths could be replaced.
base_name = row[args.id_column].strip()
output_path = out_dir / f"{base_name}{args.suffix}.docx"Sanitize batch filenames, reject absolute paths and path separators, resolve the final path, and enforce that it remains inside the chosen output directory before writing.
The installed package version may change over time, which can affect behavior or reproducibility.
The skill depends on installing an external Python package from the package ecosystem. This is disclosed and central to the skill, but no version pin is provided.
pip: docxtpl ... pip install docxtpl # For subdocuments support: pip install "docxtpl[subdoc]"
Install from a trusted package index and consider pinning a known-good docxtpl version for repeatable use.