If you discover a security vulnerability in docx-cli, please report it privately:
- Open a GitHub security advisory, or
- Email kklimuk@gmail.com.
Please don't open a public issue for security-sensitive reports. We aim to acknowledge within 72 hours and to ship a fix or mitigation promptly.
Security fixes target the latest published release. Older versions are not maintained — upgrade with:
curl -fsSL https://raw.githubusercontent.com/kklimuk/docx-cli/main/install.sh | sh
# or
bun add -g bun-docxEvery release publishes a SHA256SUMS manifest alongside the prebuilt binaries. install.sh and the skill's scripts/bootstrap.sh download the binary, verify its SHA-256 against that manifest, and pin to a release tag (not a moving branch) before installing — they never pipe a remote script into a shell.
docx-cli runs entirely locally against .docx files on disk and transmits no document content anywhere. The only network activity is:
docx render— shells out to a locally installed Word (macOS/Windows) or LibreOffice to produce a PDF; no data leaves the machine.skills/docx-cli/scripts/bootstrap.shandinstall.sh— fetch the prebuiltdocxbinary from this repo's GitHub Releases over HTTPS (binary download only).
Mutating commands overwrite the target file in place (git is the history); there is no telemetry and no external API.