Gonggong Hwpxskills Main
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a user-directed HWPX document/template skill, but its documentation references install and runtime files that are not included in the reviewed package.
This skill is reasonable for HWPX template workflows, but treat the package as incomplete: verify the referenced repository and inspect any missing requirements, scripts, or runtime files before executing them.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user follows these instructions from another source, they may install or run code that was not included in the reviewed artifacts.
The documentation points to requirements.txt, run.py, and a helper script, but the reviewed manifest contains no code files or install spec. This is a provenance/completeness issue rather than evidence of malicious behavior.
python3 -m pip install --user -r requirements.txt ... ./run.py apply-template assets/report-template.hwpx mapping.json outputs/out.hwpx ... scripts/fix_namespaces.py
Before running install.sh, pip requirements, run.py, or helper scripts, verify they come from the intended trusted repository/release and review their contents.