Skillv1.0.0

ClawScan security

中文word文档通用格式标准化 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 13, 2026, 1:36 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This skill is a local Python script that formats .docx files to Chinese typesetting standards and does not request credentials, make network calls, or perform unexpected system access.
Guidance: This skill appears coherent and local: it formats a .docx you provide using python-docx. Before running: (1) back up original documents, (2) inspect scripts/format_word.py yourself if you can, (3) install python-docx from the official PyPI repository, and run the script in a controlled environment (or on non-sensitive files) the first time. Note the SKILL.md references a template file that isn't included — if your workflow depends on a template, confirm where it should come from. If you need higher assurance, run the script on a sample document to verify behavior and outputs before batch-processing important files.

Review Dimensions

Purpose & Capability: okThe name and description (Word中文格式标准化) match the included files: a formatting specification, usage guide, requirements.txt, and a Python script that uses python-docx to modify styles, paragraphs, images, and tables. Minor documentation inconsistency: SKILL.md shows an assets/template.docx in the sample tree, but that file is not present in the provided manifest; this is an implementation/documentation mismatch but not a security concern.
Instruction Scope: okRuntime instructions are limited and explicit: install python-docx and run scripts/format_word.py on a user-supplied input file (and optional output path). The script only reads the specified input .docx and writes a .docx output; it does not read arbitrary system files, environment variables, or contact network endpoints. It operates on document paragraphs, runs, images, and tables only.
Install Mechanism: okThere is no automated install spec in the registry; the SKILL.md instructs the user to pip install -r scripts/requirements.txt which contains a single dependency (python-docx). This is a standard, low-risk installation method (PyPI package). No external downloads, URLs, or extracted archives are used by the skill itself.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths. The Python script only needs access to the input/output document paths provided by the user, which is proportionate to the stated purpose.
Persistence & Privilege: okThe skill is not marked always:true, is user-invocable, and does not modify other skills or global agent settings. It does not attempt to persist credentials or alter system configuration.