← 返回 Skills 市场
70
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install organize-messy-files-docx
功能描述
Comprehensive document creation, editing, and analysis with support for tracked changes, comments, formatting preservation, and text extraction. When Claude...
安全使用建议
This skill appears to implement .docx unpack/pack/validation and contains readable source code you can audit — that's a positive. Before installing or using it: (1) Review the bundled Python scripts (they are provided) to confirm you are comfortable with the subprocess calls (they call soffice and git) and local file reads/writes. (2) Verify and install required external tools the SKILL.md expects (pandoc, libreoffice/soffice, git, Node + docx npm package), since none are declared. (3) Be aware of the restrictive LICENSE.txt (proprietary, limits extracting/retaining materials) — ensure your intended use and storing of skill files complies with it. (4) Note the validator is hardcoded to look for tracked changes authored by 'Claude' — behavior may differ if you run a different agent. (5) Test the skill on non-sensitive documents in a sandbox first. If you need this in a production environment, either confirm the declared dependencies and integrate an install step or perform a security/legal review first.
功能分析
Type: OpenClaw Skill
Name: organize-messy-files-docx
Version: 0.1.0
The skill bundle provides a comprehensive toolkit for DOCX manipulation but contains several high-risk vulnerabilities and aggressive agent-steering instructions. Specifically, ooxml/scripts/unpack.py uses zipfile.extractall(), which is vulnerable to Zip Slip (arbitrary file write), and ooxml/scripts/validation/base.py utilizes lxml.etree.parse() without explicit protections against XML External Entity (XXE) attacks. Furthermore, SKILL.md employs prompt-injection-style 'meta-instructions' (e.g., 'MANDATORY - READ ENTIRE FILE', 'NEVER set any range limits') to override the agent's default behavior, which, while likely intended for context preservation, represents an attack surface for controlling agent execution.
能力标签
能力评估
Purpose & Capability
Name/description and included code (Python OOXML pack/unpack/validate scripts and JS docx guidance) are consistent with a .docx editing/validation skill. However the SKILL.md repeatedly assumes external tools and runtimes (pandoc, soffice/libreoffice, git, Node/npm and the docx JS package) are available and even tells the agent to use JavaScript toolchains; none of these binaries/dependencies are declared in the skill metadata. That mismatch (no declared dependencies or install spec while instructions expect many external tools) is disproportionate and incoherent.
Instruction Scope
Instructions are specific and focused on reading/unpacking/editing .docx files and validating tracked changes. Two risky/incoherent items: (1) the SKILL.md instructs the agent to 'MANDATORY - READ ENTIRE FILE' for large reference files (docx-js.md and ooxml.md) with no range limits, which broadens what the agent must parse before acting; (2) the redlining validator and workflow treat tracked changes authored by 'Claude' specially (hardcoded author name), which is a coupling to a specific LLM/agent identity and may behave unexpectedly with other agents. The runtime workflows call subprocesses and read/write local files — expected for this purpose, but they also rely on tools not declared.
Install Mechanism
There is no install spec (lowest formal install risk) and all tooling appears provided as source files bundled with the skill. That reduces hidden remote downloads, which is good. However the included Python scripts call external commands (soffice, git) via subprocess and the JS workflow assumes global npm packages; because the skill does not declare or install these, attempting to run features may fail or cause the agent to invoke system-level binaries.
Credentials
The skill requests no environment variables, no credentials, and no config paths — which is proportionate to its stated document-processing purpose. Note: it's still capable of reading and writing local files (unpack/pack) and running subprocesses, so file/system access is intrinsic to its functionality.
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistence. It also does not declare modifications to other skills or system-wide configuration. Autonomous invocation is allowed (platform default) but not combined with other privilege escalations.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install organize-messy-files-docx - 安装完成后,直接呼叫该 Skill 的名称或使用
/organize-messy-files-docx触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Bulk publish from all-task-skills-dedup
元数据
常见问题
docx 是什么?
Comprehensive document creation, editing, and analysis with support for tracked changes, comments, formatting preservation, and text extraction. When Claude... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 70 次。
如何安装 docx?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install organize-messy-files-docx」即可一键安装,无需额外配置。
docx 是免费的吗?
是的,docx 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
docx 支持哪些平台?
docx 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 docx?
由 lnj22(@lnj22)开发并维护,当前版本 v0.1.0。
推荐 Skills