ClawHub
Back to skill
v1.0.0

Superdoc

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:29 AM.

Analysis

The skill is a straightforward DOCX editing guide with normal local file and npm setup actions, and the artifacts do not show hidden credentials, persistence, exfiltration, or destructive behavior.

GuidanceThis appears reasonable for a DOCX manipulation skill. Before using it, verify the SuperDoc npm package/source, consider pinning dependency versions, and make sure the agent only reads and writes document paths you approve.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
const buffer = fs.readFileSync('input.docx'); ... fs.writeFileSync('output.docx', output);

The skill demonstrates local file reads and writes for editing DOCX files. This fits the stated purpose, but file-writing examples can overwrite or create files if paths are not user-controlled.

User impactThe skill may help an agent read and modify local document files during a DOCX task.
RecommendationUse explicit user-approved input and output paths, keep backups of important documents, and confirm before overwriting existing files.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
npm install --global superdoc jsdom

The skill documents a user-run global npm installation for dependencies rather than bundling code or an install spec. This is expected for an instruction-only integration, but it means runtime code comes from external npm packages.

User impactIf the setup command is run, external packages will be installed and used for document processing.
RecommendationVerify the npm packages and source repository, prefer pinned versions, and install in a project or isolated environment instead of globally when possible.