Skillv1.0.1

ClawScan security

Itinerary DOCX Template · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 6, 2026, 2:54 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions align with its stated purpose (filling a Chinese DOCX itinerary template from simplified lines); it requires only local Python/docx work and does not request credentials or remote installs, but I recommend reviewing the full script before executing it on sensitive data.
Guidance: This skill appears coherent and limited to editing a provided DOCX template using a local Python script. Before running it: (1) review the full scripts/fill_from_simplified.py source yourself (or have someone trusted review) to confirm there are no unexpected network calls, subprocess.exec usage, or file-system accesses beyond the template/content/output files; (2) run it in an isolated environment (e.g., a disposable virtualenv or container) and test with non-sensitive sample templates; (3) ensure python-docx is installed from PyPI (python -m pip install python-docx) and avoid installing unknown extra packages; (4) verify generated text for accuracy and PII leakage (the script embellishes descriptions automatically). If you want higher assurance, paste the full script here or allow me to scan it for network/file operations and subprocess usage.

Purpose & Capability: okName/description match the included script and runtime instructions: the script parses simplified day lines, generates itinerary sentences/descriptions, and edits a provided DOCX template using python-docx. No unrelated credentials, binaries, or install steps are requested.
Instruction Scope: okSKILL.md restricts actions to: save input text, run scripts/fill_from_simplified.py with a template and output path, and return the resulting .docx. The instructions do not ask the agent to read unrelated system files or transmit data externally. The note about installing python-docx via pip is appropriate for this task.
Install Mechanism: okThere is no install spec; the skill is instruction-only with a local Python script. The only external dependency mentioned is python-docx suggested to be installed via pip, which is standard and proportionate. No downloads from arbitrary URLs or archive extraction are present.
Credentials: okNo environment variables, credentials, or config paths are requested. The script works with user-supplied template and content files only, which is proportionate to the stated purpose.
Persistence & Privilege: okThe skill does not request permanent presence (always:false) and does not attempt to modify other skills or system-wide settings. It runs as a one-off script invocation per SKILL.md guidance.