ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

pandoc-docx

v1.0.0

支持使用 pandoc 在 Word (.docx) 与 Markdown 及多种格式之间进行双向转换,保留主要格式和图片。

0· 120·1 current·1 all-time
byfuyabing6803@mo-yuhua
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the scripts and SKILL.md: the bundle is a pandoc-based docx↔markdown converter and the scripts call pandoc/libreoffice/pdftotext as expected. Minor oddity: package.json declares system packages (pandoc, libreoffice, poppler-utils, texlive) under dependencies/optionalDependencies and Node engine requirements despite the skill being implemented as bash scripts — this is a packaging metadata mismatch but does not change the runtime behavior.
Instruction Scope
SKILL.md and the scripts only read and write local files and invoke local tools (pandoc, libreoffice, pdftotext). They do not send data to external endpoints. Attention: doc-edit.sh uses sed with unescaped user-supplied patterns/replacements (simple string substitution) which can produce unexpected results or command failures for complex inputs; users should be careful when using replace operations on sensitive documents and keep backups.
Install Mechanism
No install spec or remote downloads; this is an instruction-only skill with local shell scripts. No third-party archive downloads or URL-based installs are present.
Credentials
No environment variables, credentials, or config paths are required. The scripts only check for and call standard command-line tools (pandoc, libreoffice, pdftotext, tex).
Persistence & Privilege
Skill is not force-included (always:false) and does not request elevated persistent privileges or modify other skills or global agent configuration.
Assessment
This skill appears to do what it says: local document conversions using pandoc and optional local tools (libreoffice, pdftotext, texlive). It does not request credentials or contact external servers. Before using: 1) run ./scripts/check-deps.sh to verify required tools are installed; 2) review the scripts if you will convert sensitive documents (doc-edit's replace uses sed without escaping and could alter content unexpectedly); 3) keep backups of original files before running bulk/replace operations; 4) note the package.json metadata is a bit misleading (lists system packages and Node engines) but that is a packaging issue, not a network/credential risk. If you want extra caution, run the scripts in an isolated environment or a disposable VM/container.

Like a lobster shell, security has layers — review code before you run it.

latestvk978fwdm119n9ka4r54tk9267x83adcj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments