MinerU PDF Parser
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any process with access to that token may be able to use the user’s MinerU API quota or account permissions.
The skill relies on a MinerU bearer token and recommends storing it as an environment variable. This is purpose-aligned for calling the MinerU API, but it is still an account credential that should be protected.
Authorization: Bearer $MINERU_TOKEN ... export MINERU_TOKEN="your_api_key_here"
Use a MinerU token with the minimum needed permissions if available, keep it out of shared files/logs, and rotate it if it may have been exposed.
Private PDFs, Office files, images, or document URLs submitted for parsing may be processed and stored according to MinerU’s service policies.
The workflow sends document URLs and, for batch parsing, uploads files to MinerU-provided presigned URLs. This is central to the skill’s document-parsing purpose, but it means selected documents leave the local environment.
curl -X POST "https://mineru.net/api/v4/extract/task" ... "url": "https://arxiv.org/pdf/2410.17247" ... 上传文件到返回的 presigned URLs
Before using the skill on sensitive documents, review MinerU’s privacy/retention terms and only submit files you are comfortable sending to that external service.