docx-skill

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The visible skill instructions fit a Word-document helper; the main thing to review is its user-directed installation of third-party document tools.

Before installing, review the full skill text and install only the dependencies you need from trusted sources. Use it on documents and file paths you choose, and be mindful that document contents may contain private information.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

Installing these dependencies can add or change software on the user's machine.

Why it was flagged

The skill relies on user-installed third-party packages and tools, including global and cask installs. This is expected for a document-processing skill, but users should verify package identities and sources.

Skill content

npm install -g docx
brew install pandoc
pip install python-docx
brew install --cask libreoffice
brew install imagemagick

Recommendation

Install only from trusted package managers, consider pinned versions or project-local installs where possible, and only install optional tools you actually need.