GLM-OCR-Handwriting
PassAudited by ClawScan on May 1, 2026.
Overview
This OCR skill is coherent and transparent, but it sends user-selected images or PDFs to ZhiPu's GLM-OCR API using your API key.
Before installing, make sure you are comfortable configuring a ZhiPu API key and sending the images or PDFs you OCR to ZhiPu's GLM-OCR service. Avoid using it on highly sensitive documents unless that provider relationship is acceptable to you.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone installing the skill must provide a ZhiPu API key, which can be used to make OCR API requests on that account.
The skill uses a provider API key as a bearer token. This is expected for the ZhiPu OCR integration and is sent to the fixed provider endpoint, but users should recognize that the key authorizes API usage.
api_key = _get_env("ZHIPU_API_KEY") ... headers = {"Authorization": f"Bearer {api_key}", "Content-Type": "application/json"}Use a dedicated or least-privileged API key if available, monitor provider usage, and avoid sharing the configured environment with untrusted skills.
Images or PDFs you ask it to OCR may leave your machine and be processed by ZhiPu's service.
For local-file OCR, the script reads the selected file, encodes it, and sends it in a JSON request to the external GLM-OCR API. This is central to the skill's purpose and is disclosed, but it may involve private document contents.
data = path.read_bytes(); b64 = base64.b64encode(data).decode("ascii") ... requests.post(api_url, json=payload, headers=headers, timeout=timeout)Only submit files you are comfortable sending to that provider, especially if they contain personal, legal, medical, financial, or confidential handwriting.
When this skill is used, the agent may stop instead of trying another OCR method if the API fails or is unavailable.
The skill gives strong control instructions that force the GLM-OCR workflow and prohibit fallback methods. This appears intended to keep OCR behavior consistent, but it also limits the agent from suggesting local or alternative approaches.
ONLY use GLM-OCR API ... NEVER parse handwriting yourself ... NEVER offer alternatives ... NO fallback methods
Install this skill if you specifically want GLM-OCR-based handwriting recognition; use another skill or workflow if you need local OCR or provider alternatives.
If requests is not already installed, setup may require installing a Python package from the package ecosystem.
The script depends on the external requests package, while the artifact set has no install spec or pinned dependency file. The dependency is common and purpose-aligned, but users may need to install it separately.
"Error: 'requests' is required. Please install it:\n" " pip install requests\n"
Install dependencies from trusted package indexes or a controlled environment, and prefer pinned dependencies if packaging is later added.