ClawHub

GLM-OCR-SDK

v1.0.3

Trigger when: (1) User wants to extract text, tables, formulas, or structured data from images/PDFs/scanned documents, (2) User mentions "OCR", "文字识别", "文档解析...

1· 230·0 current·0 all-time
byJared Wen@jaredforreal
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binary (python), and required environment variable (ZHIPU_API_KEY) match an SDK that calls Zhipu's OCR MaaS. The declared primary credential is exactly what the SDK needs.
Instruction Scope
SKILL.md confines actions to installing/using the glmocr SDK, providing API key via env/constructor/CLI, parsing documents, and serializing results. It references .env and optional env-file paths (expected for API-key provisioning) and does not instruct reading unrelated system files or exfiltrating data to unexpected endpoints.
Install Mechanism
The skill is instruction-only (no install spec), and recommends 'pip install glmocr'. This is an expected, moderate-risk approach (third-party PyPI package). There are no downloads from unknown URLs, but users should verify the package provenance and review the package source before installing.
Credentials
Only ZHIPU_API_KEY is required (with optional SDK-specific env vars). No unrelated credentials or broad system config paths are requested. The ability to point to an arbitrary .env file is normal for convenience but could cause accidental exposure if misused.
Persistence & Privilege
always:false (no forced global presence). The skill does not request system-wide modifications or persistent privileges beyond using the API key; autonomous invocation is enabled by default but not combined with other concerning permissions.
Assessment
This skill appears to do what it says: call the GLM-OCR SDK against Zhipu's MaaS using a ZHIPU_API_KEY. Before installing/using it: (1) verify the glmocr pip package and its GitHub repo (ensure the project is legitimate and up-to-date); (2) keep your ZHIPU_API_KEY secret — prefer environment variables or a dedicated API key with minimal permissions; avoid embedding keys on command lines where shells or logs may record them; (3) when using --env-file / auto-discovery, avoid pointing to directories that contain other secrets (e.g., a system-wide .env); (4) consider testing in an isolated environment first (virtualenv/container) so the pip install cannot affect system packages. If you need higher assurance, review the glmocr package source before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c4c7xa0p3y9gbrm2dpgf7nh843k58

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📄 Clawdis
Binspython
EnvZHIPU_API_KEY
Primary envZHIPU_API_KEY

Comments