v1.0.0

pandoc-docx

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:56 AM.

Analysis

This appears to be a straightforward pandoc-based document conversion skill, with expected local file access and command-line tool use.

GuidanceBefore installing, make sure you trust the local pandoc/libreoffice/poppler/texlive tools you use with it. Keep backups before using edit or batch conversion features, and review generated files before overwriting important documents.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

scripts/doc-edit.sh

"$SCRIPT_DIR/doc-read.sh" "$FILE" markdown | sed "s/$PATTERN/$REPLACEMENT/g" > "$TMPFILE" ... "$SCRIPT_DIR/doc-write.sh" "$FILE" "$TMPFILE" markdown

The replace workflow interpolates user-provided text into a sed replacement and then writes the result back to the original file. This is purpose-aligned editing, but special characters or a wrong path could cause unintended document changes.

User impactAn important document could be overwritten or edited differently than expected if the replace pattern is wrong or contains regex/sed special characters.

RecommendationUse this on copies of important documents, review changes before overwriting originals, and prefer escaped/literal replacement handling for exact text edits.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

package.json

"dependencies": { "pandoc": ">=2.0" }, "optionalDependencies": { "libreoffice": ">=6.0", "poppler-utils": ">=0.8", "texlive": ">=2020" }

The skill depends on external document-processing tools with broad version ranges. These dependencies are expected for the purpose, but installation/provenance is left to the user rather than enforced by a pinned install spec.

User impactDifferent local tool versions may behave differently, and installing similarly named packages from an untrusted package source could introduce supply-chain risk.

RecommendationInstall pandoc and optional tools from trusted OS package managers or official project sources, and consider pinning versions in managed environments.

Unexpected Code Execution

SeverityInfoConfidenceHighStatusNote

scripts/doc-convert.sh

pandoc "$INPUT" -o "$OUTPUT" $EXTRACT_MEDIA $REFERENCE_DOC $WRAP_MODE

The skill runs the local pandoc binary with user-selected files and options. This command execution is central to the documented conversion purpose and is not hidden.

User impactThe skill is not purely informational; it launches installed local converters and can create or modify files at the requested output paths.

RecommendationUse explicit input/output paths, avoid untrusted option values, and verify outputs before replacing originals.