Skillv1.0.0

ClawScan security

PLS Office Docs · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 22, 2026, 11:13 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared purpose (creating/reading/editing office documents) matches the instructions and requirements; nothing requested or installed appears disproportionate or unrelated to that purpose.
Guidance: This skill appears coherent for document creation and manipulation. Before installing or running the example pip commands: (1) consider running them in an isolated environment (virtualenv) to avoid contaminating your system Python, (2) review the third-party packages (pdfplumber, pypdf, python-docx, openpyxl, python-pptx, etc.) on PyPI if you need to verify trust, and (3) avoid processing sensitive files unless you trust the runtime environment, since the examples read and write local files. Because the skill is instruction-only and requests no credentials, the main risk is the usual one of installing third-party Python packages — manage those installs according to your security policies.

Purpose & Capability: okName/description say document generation/manipulation and the SKILL.md contains Python examples and package suggestions (pdfplumber, python-docx, openpyxl, python-pptx, etc.) that directly support those operations. There are no unrelated credentials, binaries, or config paths requested.
Instruction Scope: okRuntime instructions are narrowly scoped to creating, reading, editing, and exporting PDF/DOCX/XLSX/PPTX files. Examples reference only local files (e.g., document.pdf, photo.jpg) and standard library usage; there are no instructions to exfiltrate data, access unrelated system files, or contact unexpected external endpoints.
Install Mechanism: noteThis is an instruction-only skill with no formal install spec, but the SKILL.md instructs users to run pip install for several packages. That is expected for a Python-based document manipulation skill; users should be aware that following those pip commands will download and install third-party packages from PyPI.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The examples do not reference secrets or unrelated environment variables, so the level of access requested is proportionate to the stated functionality.
Persistence & Privilege: okThe skill is not marked always:true and does not request persistent or elevated privileges. It does not modify other skills or system-wide settings in the provided instructions.