中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:19 hr ago Rescan
20 /100
docx-trackchanges-and-comments
Word文档 (.docx) 处理,支持修订模式(Track Changes)和批注操作
A legitimate Word document processing skill with no malicious behavior; minor issue is an over-broad shell:WRITE declaration in allowed-tools that doesn't match actual usage.
Skill Namedocx-trackchanges-and-comments
Duration31.7s
Enginepi
Safe to install
Narrow the allowed-tools declaration: remove shell:WRITE since the Python script uses no subprocess, and pin the python-docx dependency to a specific version for supply-chain safety.

Findings 2 items

Severity Finding Location
Low
Shell:WRITE declared but never used Doc Mismatch
SKILL.md maps Bash → shell:WRITE in its allowed-tools section, but the Python implementation (scripts/track_changes.py) contains zero subprocess, os.system, Popen, or any other shell invocation. The bash examples in SKILL.md are purely documentation; no Bash tool is actually called by the skill.
allowed-tools mapping: Bash→shell:WRITE
→ Remove shell:WRITE from allowed-tools since the skill only uses python-docx for file I/O. If shell tools are needed for edge cases (e.g., zip/unzip CLI), declare them with a specific scoped use-case in SKILL.md.
 SKILL.md:1
Low
python-docx dependency not pinned to a version Supply Chain
The script imports 'from docx import Document' and 'from docx.oxml import OxmlElement' but there is no requirements.txt, pyproject.toml, or Pipfile specifying a version. The latest python-docx release includes CVE fixes.
from docx import Document
→ Add a requirements.txt pinning python-docx to an exact version (e.g., python-docx==1.1.2) to prevent supply-chain surprises from automatic upgrades.
 scripts/track_changes.py:9
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned scripts/track_changes.py:135 — shutil.copy(input_file, output_file); lines 140-1…
Shell WRITE NONE ✓ Aligned scripts/track_changes.py — no subprocess, no os.system, no Popen anywhere in the…

File Tree

2 files · 10.1 KB · 396 lines
Python 1f · 201L Markdown 1f · 195L
├─ 📁 scripts
│ └─ 🐍 track_changes.py Python 201L · 5.3 KB
└─ 📝 SKILL.md Markdown 195L · 4.8 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
python-docx * import No No version pinned; no requirements.txt or pyproject.toml found

Security Positives

✓ No network requests (no urllib, requests, httpx, socket calls)
✓ No credential or environment variable access
✓ No base64, eval, or obfuscation
✓ No sensitive file/path access (~/.ssh, ~/.aws, .env)
✓ No data exfiltration or C2 communication
✓ No reverse shell, no subprocess abuse
✓ Clean OOXML manipulation using the python-docx library API
✓ No hidden instructions in comments or documentation