ade-mineru-api-skills
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a coherent MinerU document-extraction wrapper, but installing and using it may run a remote installer, use a MinerU token, and send documents to the MinerU API.
Before installing, verify the MinerU installer URL and consider inspecting the script. Before using, confirm which files or URLs will be processed, protect your MinerU token, and avoid sending sensitive documents unless MinerU's data-handling terms are acceptable.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing could execute code from the remote MinerU installer on the user's machine.
The documented installation runs a remote script directly in the shell; this is a common CLI setup pattern but depends on trusting the remote CDN and installer contents.
curl -fsSL https://cdn-mineru.openxlab.org.cn/open-api-cli/install.sh | sh
Verify the installer source, inspect the script when possible, and prefer a signed or checksum-verified installer if available.
If invoked too broadly, the agent could process more files or URLs than intended or write outputs to an unexpected location.
The skill grants the agent access to the mineru CLI wildcard. That is central to the skill's purpose, but it allows batch extraction, crawling, stdin/list inputs, and output writes through mineru commands.
allowed-tools: Bash(mineru:*)
Confirm the exact input files, URL lists, and output directory before allowing broad or batch mineru commands.
The token may grant access to the user's MinerU account or quota.
The skill uses a MinerU API token and can read it from an environment variable or local config file. This is expected for the MinerU API, but it is still account-level credential use.
mineru auth # Interactive token setup export MINERU_TOKEN="your-token" # Or set via environment variable Token resolution order: `--token` flag > `MINERU_TOKEN` env > `~/.mineru/config.yaml`.
Use a dedicated MinerU token if possible, keep it out of logs and shared outputs, and rotate it if exposed.
Private PDFs, images, DOCX files, or crawled pages may be uploaded to or processed by MinerU.
The skill discloses use of the MinerU API for document extraction, which implies document content may cross from the local environment to an external provider.
description: MinerU document extraction CLI that converts PDFs, images, and web pages into Markdown, HTML, LaTeX, or DOCX via the MinerU API.
Only process documents you are allowed to share with MinerU, and check the provider's privacy, retention, and compliance terms for sensitive material.