Back to skill
Skillv1.0.2
ClawScan security
DOCX Compare · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 30, 2026, 5:20 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are consistent with a DOCX duplicate-checking tool; it reads two .docx files, compares text/images, and writes annotated outputs without requesting unrelated credentials or network access.
- Guidance
- This skill appears internally consistent for comparing .docx files. A few practical notes before installing/using: (1) the script uses both python-docx and lxml; install both (e.g., pip install python-docx lxml) before running. (2) The skill will read the input .docx files and write annotated copies and reports to disk — test it on copies of your documents first. (3) The registry metadata restricts OS to win32 even though the script is platform-neutral; that is likely harmless but unnecessary. (4) The code manipulates DOCX XML (comments/document.xml) — that’s expected but can produce malformed files against edge-case DOCX; keep backups. There is no network access, no credential requests, and no signs of data exfiltration. If you need higher assurance, request the full, untruncated script for review and run it in an isolated environment on non-sensitive example documents first.
Review Dimensions
- Purpose & Capability
- okName/description (compare two DOCX for duplicate text/images) match the included script and SKILL.md. The script implements text exact/fuzzy comparison and image MD5 checks and produces annotated DOCX and a text report — which is exactly the claimed functionality.
- Instruction Scope
- okSKILL.md instructs running the included Python script with explicit file arguments and output directory. The runtime instructions and script operate only on the provided DOCX files and local output paths; they do not reference unrelated system files, environment variables, or external endpoints.
- Install Mechanism
- noteNo install spec (instruction-only) is present, which is low risk. The script requires python-docx and lxml at runtime; SKILL.md lists python-docx but does not explicitly list lxml even though the script imports lxml.etree. User will need to pip-install dependencies before running.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. That is appropriate for a local file-processing utility.
- Persistence & Privilege
- okSkill is not always-enabled and does not request permanent presence or modify other skills or system-wide settings. It runs only when invoked and writes output files as expected for this tool.