Skip to content

Security: kklimuk/docx-cli

Security

SECURITY.md

Security Policy

Reporting a vulnerability

If you discover a security vulnerability in docx-cli, please report it privately:

Please don't open a public issue for security-sensitive reports. We aim to acknowledge within 72 hours and to ship a fix or mitigation promptly.

Supported versions

Security fixes target the latest published release. Older versions are not maintained — upgrade with:

curl -fsSL https://raw.githubusercontent.com/kklimuk/docx-cli/main/install.sh | sh
# or
bun add -g bun-docx

Install integrity

Every release publishes a SHA256SUMS manifest alongside the prebuilt binaries. install.sh and the skill's scripts/bootstrap.sh download the binary, verify its SHA-256 against that manifest, and pin to a release tag (not a moving branch) before installing — they never pipe a remote script into a shell.

Scope and data handling

docx-cli runs entirely locally against .docx files on disk and transmits no document content anywhere. The only network activity is:

  • docx render — shells out to a locally installed Word (macOS/Windows) or LibreOffice to produce a PDF; no data leaves the machine.
  • skills/docx-cli/scripts/bootstrap.sh and install.sh — fetch the prebuilt docx binary from this repo's GitHub Releases over HTTPS (binary download only).

Mutating commands overwrite the target file in place (git is the history); there is no telemetry and no external API.

There aren't any published security advisories