ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Word Handler

v1.0.0

Create, read, and edit Word documents (.docx) with support for templates, tables, and styling.

0· 89·0 current·0 all-time
byJaden's built a claw@cjboy007
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (create/read/edit .docx, templates, tables, styling) matches the provided SKILL.md and the included Python script which uses python-docx. The single dependency (python-docx) is appropriate for the stated functionality.
!
Instruction Scope
SKILL.md instructs local processing only and the script otherwise stays within that scope, but the script inserts a path (parent/../quotation-workflow/scripts) onto sys.path and attempts to import quotation_schema.validate_quotation_data. That allows execution of arbitrary code from outside the skill directory if such a module exists on disk — a behavior beyond simple DOCX manipulation and not documented in SKILL.md.
Install Mechanism
No install spec (instruction-only) and dependency is a single pip package (python-docx) mentioned in SKILL.md. This is proportionate to the task and lower risk than arbitrary binary downloads.
Credentials
The skill requests no environment variables or credentials (appropriate). However, the script's dynamic sys.path modification could cause it to import and run code from unrelated parts of the host filesystem — this is a form of broad filesystem trust rather than credential misuse.
Persistence & Privilege
always is false and there are no install-time persistence actions or modifications to other skills or global agent settings. The skill does local file reads/writes (creating DOCX files) which are expected for this purpose.
What to consider before installing
This skill generally does what it says (creates and edits .docx using python-docx), but the included script adds a parent-relative path to Python's import search and tries to import a module named quotation_schema. Before installing or running it: (1) inspect any quotation_schema module on your system (or in project folders) because it could be executed when the script runs; (2) consider removing or modifying the sys.path insertion so the script only uses bundled code or well-audited dependencies; (3) run the script in an isolated environment (container or VM) with limited filesystem access and no sensitive files mounted; (4) if you need validation, vendor the validation logic into the skill or require a clearly named, auditable dependency; and (5) if you are not comfortable auditing code, avoid running the skill in a production environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk9743hkfmjyq9mmwzh0847vx6583qdt3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📘 Clawdis
OSLinux · macOS · Windows

Comments