Skillv0.1.0

ClawScan security

docx · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 14, 2026, 1:40 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches its docx editing/validation purpose, but the runtime instructions expect several external tools and make assumptions (dependencies, tooling, and an author name 'Claude') that are not declared — this mismatch and a restrictive LICENSE warrant caution before installing or running.
Guidance: This skill appears to implement .docx unpack/pack/validation and contains readable source code you can audit — that's a positive. Before installing or using it: (1) Review the bundled Python scripts (they are provided) to confirm you are comfortable with the subprocess calls (they call soffice and git) and local file reads/writes. (2) Verify and install required external tools the SKILL.md expects (pandoc, libreoffice/soffice, git, Node + docx npm package), since none are declared. (3) Be aware of the restrictive LICENSE.txt (proprietary, limits extracting/retaining materials) — ensure your intended use and storing of skill files complies with it. (4) Note the validator is hardcoded to look for tracked changes authored by 'Claude' — behavior may differ if you run a different agent. (5) Test the skill on non-sensitive documents in a sandbox first. If you need this in a production environment, either confirm the declared dependencies and integrate an install step or perform a security/legal review first.

Review Dimensions

Purpose & Capability: concernName/description and included code (Python OOXML pack/unpack/validate scripts and JS docx guidance) are consistent with a .docx editing/validation skill. However the SKILL.md repeatedly assumes external tools and runtimes (pandoc, soffice/libreoffice, git, Node/npm and the docx JS package) are available and even tells the agent to use JavaScript toolchains; none of these binaries/dependencies are declared in the skill metadata. That mismatch (no declared dependencies or install spec while instructions expect many external tools) is disproportionate and incoherent.
Instruction Scope: noteInstructions are specific and focused on reading/unpacking/editing .docx files and validating tracked changes. Two risky/incoherent items: (1) the SKILL.md instructs the agent to 'MANDATORY - READ ENTIRE FILE' for large reference files (docx-js.md and ooxml.md) with no range limits, which broadens what the agent must parse before acting; (2) the redlining validator and workflow treat tracked changes authored by 'Claude' specially (hardcoded author name), which is a coupling to a specific LLM/agent identity and may behave unexpectedly with other agents. The runtime workflows call subprocesses and read/write local files — expected for this purpose, but they also rely on tools not declared.
Install Mechanism: noteThere is no install spec (lowest formal install risk) and all tooling appears provided as source files bundled with the skill. That reduces hidden remote downloads, which is good. However the included Python scripts call external commands (soffice, git) via subprocess and the JS workflow assumes global npm packages; because the skill does not declare or install these, attempting to run features may fail or cause the agent to invoke system-level binaries.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths — which is proportionate to its stated document-processing purpose. Note: it's still capable of reading and writing local files (unpack/pack) and running subprocesses, so file/system access is intrinsic to its functionality.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated persistence. It also does not declare modifications to other skills or system-wide configuration. Autonomous invocation is allowed (platform default) but not combined with other privilege escalations.