Skillv1.0.0

ClawScan security

Government Word Format Standardizer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 11, 2026, 10:09 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill appears to do what it claims: a local .docx reformatter using a bundled template and a Python script; it does not request credentials or reach out to external endpoints.
Guidance: This skill is internally consistent and appears to run entirely locally with no network exfiltration. Before installing or running: (1) review and, if needed, run the included Python script in a safe/test environment (e.g., a VM) on representative documents; (2) note the script inspects installed fonts via the Windows registry and C:\Windows\Fonts (expected for its 'missing font' behavior); (3) verify it returns exit code 2 for missing fonts as documented; (4) avoid converting highly sensitive documents until you have tested its behavior and confirmed output correctness (complex layouts may need manual checks). If you plan to run on non-Windows hosts, test behavior first because font enumeration is Windows-specific and may cause the script to report missing fonts or behave differently.

Purpose & Capability: okThe name/description (convert .docx to a government-style template) matches the included artifacts: template bundle, formatting rules, and a converter script. The script's actions (parsing OOXML, applying style rules, checking fonts) are coherent with the stated purpose.
Instruction Scope: okSKILL.md instructs the agent to run the included Python script on a local .docx and return the output, and the script's code only reads the input .docx, the bundled template JSON, and (on Windows) the system font registry and C:\Windows\Fonts. There are no network calls, no reading of unrelated config/credentials, and no external endpoints referenced.
Install Mechanism: okThis is an instruction-only skill with no install spec; nothing is downloaded or written by an installer. The only runtime artifact is the included script, which will run from disk when invoked.
Credentials: okThe skill declares no required environment variables or credentials. The script enumerates installed fonts (via Windows registry and font directory) to check for required fonts — this is proportional to its font-failure guarantee and is the only sensitive local state it touches.
Persistence & Privilege: okalways:false and default autonomous invocation are used; the skill does not request persistent system-wide changes, nor does it modify other skills or agent configuration. It only operates on files provided to it.