Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
MiniMax PDF OCR
v1.0.0使用 MiniMax Vision API 识别 PDF/图片中的文字
⭐ 0· 177·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The code and SKILL.md implement PDF→PNG conversion (pdftoppm/poppler) and send images to a MiniMax Vision API for OCR — this aligns with the skill name/description. However, the registry metadata (which claimed no required env vars or binaries) is inconsistent with the SKILL.md and code that require an API key (MINIMAX_API_KEY) and rely on a system binary (pdftoppm).
Instruction Scope
Runtime instructions are focused: convert PDF to images, base64-encode images, and POST them to https://api.minimax.chat/v1/text/chatcompletion_v2 for OCR, then save Markdown. The instructions do send image data (embedded as data URLs) to an external API — expected for an OCR skill but important for privacy. SKILL.md also instructs installing npm packages (openai, pdf2image) that the shipped code does not use; this is inconsistent but not directly harmful.
Install Mechanism
No install spec (instruction-only) lowers risk. The only non-JS install guidance is to install poppler (provides pdftoppm) via brew — a standard system package. There are no remote download/extract steps or obscure URLs in the install path.
Credentials
The code requires a single credential (MINIMAX_API_KEY) and optionally OUTPUT_DIR — proportional for a remote OCR API. However, the registry metadata incorrectly lists no required env vars; this discrepancy between declared requirements and actual code is a red flag (could be sloppy packaging or mis-declared permissions). No other credentials are requested.
Persistence & Privilege
The skill does not request persistent/always-on privileges and does not modify other skills or system-wide configs. It runs as a user-invoked Node script and only accesses the files you provide plus the environment API key.
What to consider before installing
This skill's code does what its name says: it converts PDF pages to images and uploads those images to a MiniMax Vision API to get OCR results, then writes a Markdown file. Before installing or using it, consider: 1) Privacy: images (full page content) are sent to https://api.minimax.chat — do not process sensitive/confidential documents unless you trust that service and its privacy policy. 2) Credentials: the code requires MINIMAX_API_KEY (set in env). The registry metadata incorrectly stated no env vars — verify you are comfortable providing that API key. 3) System dependency: pdftoppm (poppler) must be installed; SKILL.md mentions it but registry metadata omitted it. 4) Inconsistencies: SKILL.md recommends npm packages (openai, pdf2image) that are not used by the shipped code — this suggests sloppy packaging; prefer to inspect/run the script in a sandbox first. 5) Safety checks: check the API endpoint and the publisher before using with real secrets, and test on non-sensitive sample documents. If you want to proceed, run it locally in an isolated environment and verify network endpoints and outputs yourself. If you require higher assurance, ask the publisher to correct the metadata and provide provenance/hosting information.pdf-ocr-minimax.js:36
Shell command execution detected (child_process).
pdf-ocr-minimax.js:14
Environment variable access combined with network send.
pdf-ocr-minimax.js:58
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97bzntnemc3rbbmftvq8x4rax83dkym
License
MIT-0
Free to use, modify, and redistribute. No attribution required.