GLM-OCR-SDK
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward cloud OCR skill, but it requires a Zhipu API key and may send documents to Zhipu for processing.
This skill is reasonable for OCR tasks if you trust the GLM-OCR SDK and Zhipu's cloud service. Before installing, verify the package source, protect `ZHIPU_API_KEY`, and avoid sending confidential documents unless external cloud processing is acceptable.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the package gives locally executed SDK code access to the files and credentials used for OCR tasks.
The skill instructs installation of an external SDK without a version pin. This is central to the OCR SDK purpose, but users should verify the package source and version.
# Install pip install glmocr
Install only from the expected trusted package source, consider pinning a known-good version, and keep the package updated.
Anyone who obtains the API key may be able to use the associated Zhipu account or incur API usage.
The skill requires a Zhipu API key and shows ways to provide it, including environment variables, `.env`, and direct CLI arguments. This is expected for the provider API but is sensitive credential handling.
export ZHIPU_API_KEY=sk-xxx ... glmocr parse image.png --api-key sk-xxx
Prefer environment variables or a secret manager over pasting keys into commands, avoid committing `.env` files, and rotate the key if exposed.
Documents submitted for OCR may leave the local machine and be processed by the external provider.
The skill discloses that document parsing is performed through an external cloud API. That is purpose-aligned, but document images/PDFs may contain sensitive information.
Invokes the GLM-OCR SDK (pip install glmocr) to parse documents via Zhipu's cloud API.
Use this skill only for documents you are allowed to send to Zhipu, and redact or avoid highly sensitive files unless the provider terms meet your requirements.