Minimax Docx
ReviewAudited by ClawScan on May 18, 2026.
Overview
The skill is coherent for creating Word documents, but its helper script can automatically download and execute a .NET installer and modify the user's local .NET installation without clear install-time disclosure.
This skill appears aimed at legitimate Word document creation, but install and runtime behavior should be reviewed before use. If you install it, run it in a controlled project folder, install .NET manually if needed, and do not allow automatic runtime provisioning unless you are comfortable with it downloading and executing installer scripts and changing your local .NET directory.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may execute local Python and .NET commands as part of creating the requested .docx file.
The skill's normal workflow uses local command execution to render and validate Word documents. This matches the stated purpose, but users should know the agent may run local build tooling.
python3 <skill-path>/docx_engine.py render [output.docx] dotnet run --project <skill-path>/src/DocForge.csproj -- from-template <template.docx> <output.docx>
Use it in a workspace where running document-build commands is acceptable, and review file paths before asking it to process templates or outputs.
Running the skill can cause new software to be fetched from the internet and executed on the user's machine.
The code downloads a remote installer script at runtime and executes it. Even though it uses Microsoft's dot.net URL and is related to the skill's .NET dependency, this is not pinned or surfaced as an install specification.
installer_url = "https://dot.net/v1/dotnet-install.sh" subprocess.run(["curl", "-sSL", installer_url, "-o", str(installer_path)], check=True, timeout=60) installer_path.chmod(0o755) subprocess.run([str(installer_path), "--channel", channel, "--install-dir", str(target_dir)], check=True, timeout=300)
Install the required .NET SDK yourself from a trusted source before use, or require explicit confirmation before allowing the skill to provision runtimes.
A document-generation request could modify or remove an existing local .NET installation if this code path is reached.
The helper is designed to automatically install or reinstall .NET, and it can delete the user's ~/.dotnet directory before reinstalling. That is significant local environment modification without an explicit install spec or clear user approval gate in the provided instructions.
def guarantee_dotnet() -> Path:
"""Ensure dotnet is available, installing if needed.
...
elif status == "corrupted":
print("! Runtime installation corrupted, reinstalling...")
dotnet_home = Path.home() / ".dotnet"
if dotnet_home.exists():
shutil.rmtree(dotnet_home, ignore_errors=True)
result = provision_dotnet()Run only after backing up or confirming your .NET setup, and prefer disabling automatic provisioning in favor of a user-approved manual installation step.