page-doc-generator Security Report — Low Risk | ClawSafe

15 /100

page-doc-generator

Generate Word documentation from mini-program/uni-app project screenshots and source code

Documentation generation skill with minor doc-to-code mismatch on shell execution, but no malicious behavior detected.

Skill Namepage-doc-generator

Duration19.4s

Enginepi

✓

Safe to install

Update SKILL.md to explicitly declare subprocess usage for pandoc invocation.

Findings 1 items

Severity	Finding	Location
Low	Shell execution not declared in SKILL.md Doc Mismatch SKILL.md describes pandoc usage but does not explicitly state that the script invokes subprocess to run pandoc as an external command. `result = subprocess.run([pandoc, str(md_path), "-o", str(output_path), "--resource-path", str(md_path.parent)], capture_output=True, text=True, timeout=60)` → Add 'Uses subprocess to invoke pandoc for DOCX conversion' to the capability declaration in SKILL.md	`scripts/convert_to_docx.py:57`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ,WRITE`	`READ,WRITE`	✓ Aligned	Reads Vue files and images, writes markdown/docx output
Shell	`NONE`	`WRITE`	✓ Aligned	scripts/convert_to_docx.py:57 - subprocess.run for pandoc

1 findings

🔗

Medium External URL 外部 URL

https://pandoc.org/

scripts/convert_to_docx.py:58

3 files · 16.7 KB · 555 lines

Python 2f · 443L Markdown 1f · 112L

├─ ▾ 📁 scripts

│ ├─ 🐍 convert_to_docx.py Python 116L · 3.0 KB

│ └─ 🐍 generate_page_doc.py Python 327L · 10.9 KB

└─ 📝 SKILL.md Markdown 112L · 2.8 KB

✓ No credential access or harvesting

✓ No network data exfiltration

✓ No obfuscated or base64-encoded code

✓ No sensitive file path access (~/.ssh, ~/.aws, .env)

✓ No remote script execution (curl|bash, wget|sh)

✓ No malicious dependencies or supply chain risks

✓ Code is clean, readable, and performs only stated documentation generation