ClawHub

Docx Editing

v0.3.0

Surgically edit existing (brownfield) .docx files with formatting preservation and tracked changes via the Safe-DOCX MCP server. Use when user says "edit thi...

2· 917·9 current·10 all-time
bySteven Obiajulu@stevenobiajulu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (Docx Editing via Safe‑DOCX) align with what the instructions request: Node/npm usage and running an MCP stdio server. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
Runtime instructions are limited to launching the local MCP server (npx or installed binary), accessing .docx files under the user's home and system temp dirs, and not making outbound network calls at runtime. The SKILL.md does not instruct the agent to read unrelated system files or secret env vars.
Install Mechanism
Install is via npm/npx (registry.npmjs.org) which is a known public registry — appropriate for a Node-based tool but carries supply-chain risk. The document explicitly recommends pinning, vendoring, or building from source to avoid runtime fetches and claims no postinstall hooks; these mitigations are provided but the verifier should confirm them before trusting automatic npx usage.
Credentials
No environment variables, credentials, or unrelated config paths are requested. Access is limited to files under the user's home directory and system temp dirs, which is proportionate for editing .docx files.
Persistence & Privilege
always:false (not force-included). The skill requires adding an MCP server entry to client config, which is normal and scoped to this connector. It does not request to modify other skills or system-wide settings.
Scan Findings in Context
[no_findings_instruction_only] expected: Regex scanner had nothing to analyze because this is an instruction-only skill that recommends an external npm package. Lack of findings is expected but does not verify the external package's contents.
Assessment
This skill appears coherent for local .docx editing, but the main risk is the one-time npm fetch (npx). Before using: (1) prefer a pinned or vendored installation or build-from-source as described in the SKILL.md; (2) inspect the referenced GitHub repo and package.json (confirm no postinstall hooks and verify the claimed stdio-only server); (3) run initial tests in an isolated environment to ensure no unexpected network activity; (4) confirm the MCP client configuration only gives the connector access to the intended home/temp paths. If you cannot audit the upstream package, avoid using npx auto-fetch and use the offline/pinned options provided.

Like a lobster shell, security has layers — review code before you run it.

latestvk9792ryyfgdjsskz76bgbcmwss84ethc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments