ClawHub
Back to skill
v1.0.0

docx-diff

BenignClawScan verdict for this skill. Analyzed May 3, 2026, 12:55 AM.

Analysis

This appears to be a local Word-document comparison tool; the main things to notice are its Python dependency install and that generated reports may contain the documents' text and images.

GuidanceThis skill looks purpose-aligned for local .docx diffing. Before installing, consider using a Python virtual environment, verifying the `python-docx` dependency, and treating the generated HTML/DOCX/TXT reports as potentially confidential because they may include document text and embedded images.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
pip install python-docx

The skill requires installing a third-party Python package, but the artifact does not pin a version or provide a managed install spec.

User impactA normal package install is expected for this tool, but the installed package version depends on the user's Python package source at install time.
RecommendationInstall in a virtual environment and, if used for sensitive work, pin or verify a trusted `python-docx` version.
Unexpected Code Execution
SeverityInfoConfidenceHighStatusNote
SKILL.md
python "路径/scripts/compare_docx.py" --file1 "旧文档.docx" --file2 "新文档.docx"

The workflow runs a local Python script with user-supplied file paths. This is central to the skill's purpose and is not hidden, but it is still local code execution.

User impactThe skill will execute local Python code to read the selected documents and create output files.
RecommendationRun it only from the installed skill path, use file paths you intended to compare, and keep backups of important documents.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
SKILL.md
HTML 报告内嵌图片,可直接分享单个文件

The generated report can embed document images and also includes diffed text, so the output files may contain sensitive source-document content.

User impactIf the compared documents are confidential, sharing or syncing the generated reports can disclose their contents or embedded images.
RecommendationStore reports in a trusted location, review them before sharing, and delete them when no longer needed.