Skillv0.1.0

ClawScan security

Docx · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 1:49 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill largely does what it says (manipulate .docx files) but its declared requirements and install metadata are inconsistent with the code: it compiles a native LD_PRELOAD shim, writes LibreOffice macros and temp files, and expects native tools (soffice, gcc, pandoc, npm, pdftoppm) that are not declared — this raises practical and security concerns you should review before installing.
Guidance: This skill appears to implement real .docx manipulation tools, but it does more than simple XML edits: it expects and will invoke native tools (soffice/LibreOffice, gcc to compile a shim, pandoc, pdftoppm, and suggests npm/docx-js) even though its metadata lists no required binaries. Before installing or running it, consider: 1) Do you trust this code? Review the source files (they are included) and confirm you are comfortable with a runtime that compiles and LD_PRELOADs a native shared object and writes LibreOffice macros. 2) Only run it in a controlled environment (sandbox or VM) if you cannot fully audit it — the shim and LD_PRELOAD can influence process behavior. 3) Ensure you have the expected native tools if you want full functionality, or disable/modify features that compile the shim if your environment disallows builds. 4) The license file is proprietary and the skill owner is unknown — check that you have the right to use the code under that license. 5) If you need stricter guarantees, ask the publisher to explicitly list required binaries/permissions and to explain why runtime compilation and macro injection are necessary. If you want, I can extract the exact locations and commands the skill will run so you can review them line-by-line.

Review Dimensions

Purpose & Capability: concernName/description matches the code’s behavior (reading, editing, packing/unpacking .docx). However the implementation requires native OS tools and low-level tricks (compiling a C LD_PRELOAD shim, writing a LibreOffice profile and Basic macro, invoking soffice, pandoc, pdftoppm, and suggesting npm/docx-js) but the skill metadata declares no required binaries or envs. This mismatch is incoherent: either the metadata is incomplete or the skill is requesting more OS-level capabilities than its description implies.
Instruction Scope: concernSKILL.md and the included scripts stay focused on .docx tasks, but runtime instructions and code include actions beyond simple XML editing: creating a LibreOffice user profile in /tmp and writing a Basic macro, running soffice headless with that profile, compiling and LD_PRELOAD-ing a custom shared object to emulate AF_UNIX sockets, and invoking external tools (pandoc, pdftoppm, npm). Those steps are plausible for robust document conversion but expand the scope to native compilation, environment modification (LD_PRELOAD), and macro injection — all of which increase risk compared to a purely file-manipulation skill.
Install Mechanism: concernThere is no install spec, but the code performs runtime installation-like actions: it writes C source to a temp directory and invokes gcc to build lo_socket_shim.so, writes files under /tmp (LibreOffice profile and macro), and sets LD_PRELOAD for subprocesses. Compiling and LD_PRELOAD-ing native code at runtime is high-risk behavior (can affect process behaviour system-wide) and is not declared in metadata. The source and build are local (not a remote download), which reduces some supply-chain risk, but invoking gcc and producing an .so is still a significant privilege/attack surface.
Credentials: noteThe skill does not request environment variables or credentials. The code does read and mutate environment variables for subprocesses (sets SAL_USE_VCLPLUGIN and LD_PRELOAD) but it does not appear to exfiltrate secrets or require cloud credentials. That said, modifying LD_PRELOAD and creating LibreOffice macros can alter process behavior and persist in the environment (LibreOffice profile in /tmp), so while no secrets are requested, the level of system access demanded is higher than one might expect for a simple docx helper.
Persistence & Privilege: notealways is false and the skill does not request platform-wide persistent installation. It does create files under /tmp (libreoffice profile, compiled .so) and writes a LibreOffice macro into that profile; these could persist for the lifetime of /tmp or until manually removed. The use of LD_PRELOAD to alter child-process behavior is a privileged action but is performed only for the skill's LibreOffice subprocesses (via get_soffice_env). The skill does not modify other skills or global agent configuration.