Back to skill
Skillv1.0.0
ClawScan security
docx-to-md · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 27, 2026, 2:01 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The package's code and instructions match its stated purpose (convert .docx to Markdown and extract images); it requests no credentials, has no install downloads, and contains no network or unexpected file-access behavior.
- Guidance
- This skill appears coherent and safe for its stated purpose. Before installing/using: (1) ensure you have python 3.7+ and install python-docx (pip install python-docx); (2) run it on .docx files you trust or in a controlled output directory (it will create an <basename>_output folder or use the provided output path and write image_*.png/jpg files and a .md file); (3) be aware it writes files to disk and may overwrite files in the chosen output directory — pick a safe location. If you want extra assurance, inspect scripts/docx_to_md.py yourself; it contains no network calls or credential handling.
Review Dimensions
- Purpose & Capability
- okThe SKILL.md and the included scripts/docx_to_md.py implement the described functionality: extracting media from the .docx ZIP (word/media/) and converting document content to Markdown using python-docx. There are no unrelated credentials, binaries, or external services requested.
- Instruction Scope
- okRuntime instructions only reference the input .docx path and an output directory. The code reads the provided .docx, extracts files under 'word/media/' into the output directory and writes a Markdown file — behavior consistent with the documented scope. The SKILL.md does not instruct reading other system files or transmitting data externally.
- Install Mechanism
- okThere is no install spec; this is instruction/code-only. The only dependency is python-docx (documented in SKILL.md with a pip install command). No remote download URLs or archive extraction from arbitrary hosts are used.
- Credentials
- okNo environment variables, credentials, or config paths are required. The skill operates on user-supplied file paths only, which is proportionate to its purpose.
- Persistence & Privilege
- okalways is false and the skill does not request persistent global privileges or modify other skills/configs. It writes output files only into the specified output directory.