Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Word Document Creator
v1.0.0Create and validate Word documents using a hybrid method with Word COM and python-docx, featuring multi-layer encoding defense and error handling.
⭐ 0· 101·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description claim Word COM + python-docx hybrid creation and the scripts implement exactly that. However the skill assumes a Windows environment with Microsoft Word installed (win32com usage) yet the registry metadata lists no OS restriction. SKILL.md also recommends a specific interpreter path (D:\openclaw_project\venv\Scripts\python.exe) and example output paths on E:\Desktop which are environment-specific and not appropriate to a generic skill package.
Instruction Scope
SKILL.md instructs running a script with an absolute interpreter path and absolute Windows output paths; examples reference E:\ and a local mem9 DB ID. The runtime instructions do not instruct reading arbitrary system files or contacting networks, but the platform-specific hard-coded paths and the mem9 references are inconsistent with a generic skill and could cause unexpected local file access if blindly executed. The script does modify process environment (PYTHONIOENCODING) and calls chcp, which is reasonable for encoding handling but is an environment mutation to be aware of.
Install Mechanism
There is no install spec (lowest risk) but the code depends on python-docx and pywin32 and requires Microsoft Word. SKILL.md and scripts mention these requirements, but the package metadata does not declare dependencies or an OS restriction. That mismatch is notable: users must install prerequisites themselves on Windows; there is no automated or documented installation in the skill package.
Credentials
The skill requests no environment variables or credentials. It does alter local environment encoding (PYTHONIOENCODING, chcp) which is proportionate to its goal. There are unexplained references to a 'mem9' database ID and mem9_backup entries in SKILL.md/skill.json but no code that performs network calls or interacts with such a service; this is an inconsistency (metadata claims storage but code does not perform remote storage nor request credentials).
Persistence & Privilege
Skill does not request always:true and is user-invocable. It does not modify other skills or system-wide agent configs. It writes temporary files and output files as expected for document creation; this is within scope for its stated purpose.
What to consider before installing
This skill appears to be a legitimate Word-document generator that uses Word COM + python-docx, but it makes strong Windows-specific assumptions and includes environment-specific example paths and an explicit interpreter path that will not exist on most users' systems. Before installing or running:
- Only run on a Windows machine with Microsoft Word installed and activated. The scripts call win32com and expect Word; running on non-Windows will fail.
- Review and remove/replace hard-coded paths (D:\... and E:\...) and the interpreter path in SKILL.md before executing to avoid accidental file writes to unexpected locations.
- Install dependencies yourself (pip install python-docx pywin32) in a controlled environment (virtualenv).
- Note the code sets Word.Application.AutomationSecurity = 3 (suppresses macro prompts) — this can bypass macro warnings in some contexts; ensure you control template sources and trust Normal.dotm.
- The package metadata references mem9 IDs and local verification files but the code does not contact any external service — that inconsistency is likely bookkeeping from the author but verify there are no hidden endpoints before running.
- Run the code first in an isolated test environment (VM) and inspect behavior (file creation, temp files) before using it on sensitive systems or with sensitive content.Like a lobster shell, security has layers — review code before you run it.
latestvk974sqcmc59vfrm6xwk67mb6mh83wpag
License
MIT-0
Free to use, modify, and redistribute. No attribution required.