MinerU PDF Parser
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: mineru Version: 1.0.1 The skill bundle describes the use of the MinerU API for document parsing, including instructions for API authentication, task submission, and result retrieval. All `curl` commands are directed to `https://mineru.net/`, which is the stated service endpoint. The `SKILL.md` file contains no evidence of prompt injection, data exfiltration (beyond using a provided API token), malicious execution patterns (e.g., `curl|bash`), persistence mechanisms, or obfuscation. All instructions and commands are directly aligned with the stated purpose of parsing documents.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any process with access to that token may be able to use the user’s MinerU API quota or account permissions.
The skill relies on a MinerU bearer token and recommends storing it as an environment variable. This is purpose-aligned for calling the MinerU API, but it is still an account credential that should be protected.
Authorization: Bearer $MINERU_TOKEN ... export MINERU_TOKEN="your_api_key_here"
Use a MinerU token with the minimum needed permissions if available, keep it out of shared files/logs, and rotate it if it may have been exposed.
Private PDFs, Office files, images, or document URLs submitted for parsing may be processed and stored according to MinerU’s service policies.
The workflow sends document URLs and, for batch parsing, uploads files to MinerU-provided presigned URLs. This is central to the skill’s document-parsing purpose, but it means selected documents leave the local environment.
curl -X POST "https://mineru.net/api/v4/extract/task" ... "url": "https://arxiv.org/pdf/2410.17247" ... 上传文件到返回的 presigned URLs
Before using the skill on sensitive documents, review MinerU’s privacy/retention terms and only submit files you are comfortable sending to that external service.