PaddleOCR Document Parsing V2
PassAudited by ClawScan on May 1, 2026.
Overview
The skill matches its stated OCR purpose, but it uploads chosen documents to a configured PaddleOCR service and uses an API token, so only process files you are comfortable sharing.
Before installing, verify that PADDLEOCR_API_URL and PADDLEOCR_JOB_URL point to endpoints you trust, use a limited/revocable PaddleOCR token, and do not process confidential documents unless you are comfortable uploading them to that service.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the API URL is set incorrectly or to an untrusted endpoint, the PaddleOCR token could be exposed.
The script uses the PaddleOCR access token in API authorization headers. This is expected for the OCR service, but the token is sent to the configured endpoint.
"Authorization": f"token {token}"Use a trusted PaddleOCR endpoint, keep the token scoped and revocable, and avoid sharing the token in logs or chats.
Documents may contain private, business, or regulated information that will be sent to the configured OCR provider.
For local files, the script reads the selected document, encodes it, and posts it to the configured OCR API. This is central to the skill's purpose but means document contents leave the local machine.
file_bytes = path.read_bytes()
file_data = base64.b64encode(file_bytes).decode("ascii")
response = requests.post(api_url, json=payload, headers=headers, timeout=600)Only parse documents you are allowed to upload, confirm the provider's retention/privacy terms, and avoid using this on highly sensitive files unless approved.
It may be harder to independently verify the package origin or compare it with an upstream project.
The registry information does not identify a source repository. The included scripts are visible and no install-time download is shown, so this is a provenance note rather than a behavior concern.
Source: unknown
Review the included scripts before use and prefer installing from publishers or repositories you trust.