ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Md2docx

v1.0.6

Markdown 转 Word 文档(标准公文格式)。使用 Pandoc 自动转换,支持目录/宋体排版、表格自动修复。

0· 191·1 current·1 all-time
by@sukimgit
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the included code: tools/md2docx.py implements a two-stage Pandoc → python-docx workflow and the SKILL.md lists the same dependencies. However the repository claims/uses template files (e.g. tools/standard-official-template.docx and a standard public-office template) that are referenced by tests and PROJECT_INFO.md but are NOT present in the provided file manifest. That mismatch (expected template asset missing) is a functional/integrity inconsistency.
!
Instruction Scope
SKILL.md instructs only to run the converter and requires Pandoc/python-docx (scope-appropriate). But the code base contains an auxiliary script (tools/create_songti_template.py) that writes a template to a hard-coded absolute path (C:/Users/GWF/.openclaw/...) when executed. The documentation does not mention this write-to-absolute-path behavior. There are no network calls or obvious exfiltration, but the hard-coded filesystem write and mismatch between described/expected assets (templates) are unexpected and should be noted.
Install Mechanism
No install spec (instruction-only), no downloads or remote installers in the manifest. This minimizes installation-time risk. Dependencies are external system packages (Pandoc) and a Python package (python-docx) that the SKILL.md correctly documents.
Credentials
The skill requests no environment variables or credentials. The functionality (local file conversion) does not need secrets, so the lack of env/credential requests is proportionate.
Persistence & Privilege
Skill is not always-enabled and does not attempt to modify other skills or system-wide configurations. The only persistence-like behavior is scripts that may write template files to disk if explicitly run (e.g., create_songti_template.py); this is not automatic but should be considered before execution.
What to consider before installing
This skill appears to do what it says (convert Markdown to .docx using Pandoc then python-docx), but there are a few issues to check before you run it: - Missing template files: SKILL.md, README, tests and PROJECT_INFO.md reference template files (e.g., tools/standard-official-template.docx) that are not present in the file manifest. Expect tests or some conversions to fail unless you provide those templates. - Hard-coded filesystem write: tools/create_songti_template.py saves a file to a hard-coded Windows path (C:/Users/GWF/.openclaw/...). Do NOT run that script unless you review and edit the target path; it will try to write into a specific user directory and may fail or create files in unexpected places. - Code quality oddities: the package defines custom exceptions that shadow builtin names (e.g., FileNotFoundError subclass) and tests reference helper functions (validate_pandoc_available) that should be confirmed present. These are quality/maintenance issues rather than clear signs of malice. - No network/exfiltration observed: there are no HTTP calls or external endpoints in the provided files. The only external dependency is the pandoc binary invoked via subprocess; that invocation is expected for the stated purpose. Recommended actions before installing/using: 1. Inspect and/or supply the missing template(s) referenced by README/tests or remove template references if not needed. 2. Search for any other hard-coded absolute paths and edit them to safe, relative or configurable locations. 3. Run the conversion tools in a sandbox or non-production environment first (ensure Pandoc is installed and on PATH). 4. If you plan to run the auxiliary template-creation script, modify its output path to a directory you control and inspect the generated file before using it. 5. If you need higher assurance, run the included tests in an isolated environment and review the rest of the code (especially the truncated portion of md2docx.py) for any unexpected behavior. Overall: functional and plausibly benign code, but incongruities (missing assets, hard-coded paths) make it suspicious until you verify/clean those items.

Like a lobster shell, security has layers — review code before you run it.

latestvk9788ye7018cfdyad64ym500fs83mf03

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments