Skillv1.0.1

ClawScan security

Office-Editor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 12, 2026, 8:47 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, instructions, and requirements are coherent with its stated purpose of creating and editing .docx/.xlsx/.pptx files; it asks for no unrelated credentials or installs and limits what it does to file I/O with office libs.
Guidance: This skill appears to do what it says: generate and edit Office files using standard Python libraries. Before installing/using it: (1) ensure the required Python packages (python-docx, openpyxl, python-pptx) are installed in the environment you run the agent in — the skill will report missing packages rather than install them; (2) run the skill in an environment where writing files is acceptable (it writes saved files to disk and will read any input file path you give it); (3) be cautious when editing files from untrusted sources — these libraries don't execute VBA macros but may preserve them or include potentially malicious content in documents; (4) if you need an additional safety layer, run the skill in a sandboxed container or VM. Overall the skill is internally consistent and has no unexplained requests for credentials or network access.

Purpose & Capability: okName/description match the included scripts and references. The code and SKILL.md only reference python-docx, openpyxl, python-pptx (and optional pandas/pillow) which are exactly the libraries needed for Word, Excel, and PowerPoint manipulation.
Instruction Scope: okSKILL.md explicitly restricts behavior: it only checks imports (read-only), refuses automatic pip installs, preserves originals by default, only loads reference files as needed, and instructs saving to disk. Included scripts only read/write local files and accept CLI args; they do not make network calls, access unrelated system config, or read arbitrary environment variables.
Install Mechanism: okThere is no install spec (instruction-only). That is proportionate: the skill relies on standard Python libraries but does not attempt to download/extract code or run installers automatically.
Credentials: okThe skill declares no required environment variables, no credentials, and no config paths. The optional dependency guidance (pandas/pillow) is appropriate and limited to specific features (DataFrames, images).
Persistence & Privilege: okalways is false, the skill is user-invocable and may be invoked autonomously (platform default). It does not request permanent system presence or modify other skills or system-wide configs.