ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aliyun Docmind Extract

v1.0.0

Use when working with Document Mind (DocMind) via Node.js SDK to submit document parsing jobs and poll results. Designed for Claude Code/Codex document under...

0· 34·0 current·0 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the included code: both show a Node.js DocMind client that submits jobs and polls results. However, the registry metadata declares no required environment variables or primary credential even though the SKILL.md and quickstart.js require Alibaba Cloud access keys and region — an important mismatch.
!
Instruction Scope
SKILL.md instructs using ALICLOUD_ACCESS_KEY_ID and ALICLOUD_ACCESS_KEY_SECRET, submitting public file URLs (privacy risk), polling, and saving outputs. The validation step incorrectly attempts to py_compile *.py files in scripts/ even though the repo contains only a JavaScript quickstart, which is inconsistent and may cause false validation behavior. Instructions also recommend making files publicly accessible (expected for URL submission but exposes data).
Install Mechanism
No install spec is provided (instruction-only). The SKILL.md asks the user to npm install official @alicloud packages — this is expected and proportionate. No downloads from untrusted URLs or extract operations are present.
!
Credentials
The skill legitimately needs Alibaba Cloud credentials (access key ID/secret and optional region) and runtime DOCMIND_* env vars, but the package metadata does not declare these required envs or a primary credential. That mismatch is a transparency issue: the skill will require secrets at runtime despite listing none in metadata.
Persistence & Privilege
The skill does not request permanent/always presence, does not modify other skills, and does not include install-time persistence. Autonomous invocation is allowed (platform default) but not combined with other high privileges here.
What to consider before installing
Before installing: (1) Recognize this is a DocMind Node.js client and it requires your Alibaba Cloud access key and secret — only provide keys with the minimum permissions needed and avoid using long-lived high-privilege keys. (2) The skill metadata fails to declare these env vars; treat that as a red flag and prefer skills that list the credentials they need. (3) The SKILL.md validation step references Python files that do not exist and the quickstart.js hardcodes the cn-hangzhou endpoint while the docs show a region-based endpoint — verify endpoint/region handling matches your needs. (4) URL-based submission requires publicly accessible files; do not upload sensitive documents publicly. (5) If you proceed, run the script in an isolated environment (or with temporary, scoped credentials), inspect quickstart.js locally, and rotate or revoke credentials after use. Finally, ask the publisher for a homepage/source repo and corrected metadata (declared env vars + correct validation) before trusting this skill in production.

Like a lobster shell, security has layers — review code before you run it.

latestvk97653bf9zcj7ts02z7d1f0frn840we6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments