DOCX Toolkit
PassAudited by ClawScan on May 13, 2026.
Overview
The skill appears to be a normal Word-document helper; the main caution is that some workflows run local tools and install an unpinned npm package.
This looks reasonable for a DOCX toolkit. Before using it, make sure you trust the local tools it relies on, review commands before they run, use copies of important documents, and remember that tracked changes or comments in Word files may be extracted into outputs.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can cause local tools to read Word files and create derived files, so mistakes in file paths or processing untrusted documents could affect local files.
The documented workflows run local command-line tools and write extracted output files. This is expected for DOCX processing, but it means the agent may execute local commands on user documents.
pandoc --track-changes=all document.docx -o output.md python scripts/office/unpack.py document.docx unpacked/
Review or approve command execution and file paths, use copies/backups for important documents, and process untrusted documents in a safer environment if possible.
Installing a package globally can change the local environment and may fetch a different package version over time.
The skill instructs installation of an unpinned global npm package. This is purpose-aligned for DOCX generation, but version/provenance are not locked in the artifact.
使用 JavaScript 生成 .docx 文件,然后进行验证。安装:`npm install -g docx`
Prefer a vetted and pinned version of the package, install it in a project-local environment when possible, and inspect any helper scripts or tools before use.