GLM-OCR-SDK
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: glmocr-sdk Version: 1.0.4 The 'glmocr-sdk' skill bundle provides documentation and instructions for an AI agent to perform OCR tasks using the legitimate GLM-OCR SDK and Zhipu's cloud API. The SKILL.md file contains standard usage examples for both Python and CLI interfaces, requires a standard API key (ZHIPU_API_KEY), and lacks any indicators of malicious intent, unauthorized data access, or harmful prompt-injection instructions.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the package gives locally executed SDK code access to the files and credentials used for OCR tasks.
The skill instructs installation of an external SDK without a version pin. This is central to the OCR SDK purpose, but users should verify the package source and version.
# Install pip install glmocr
Install only from the expected trusted package source, consider pinning a known-good version, and keep the package updated.
Anyone who obtains the API key may be able to use the associated Zhipu account or incur API usage.
The skill requires a Zhipu API key and shows ways to provide it, including environment variables, `.env`, and direct CLI arguments. This is expected for the provider API but is sensitive credential handling.
export ZHIPU_API_KEY=sk-xxx ... glmocr parse image.png --api-key sk-xxx
Prefer environment variables or a secret manager over pasting keys into commands, avoid committing `.env` files, and rotate the key if exposed.
Documents submitted for OCR may leave the local machine and be processed by the external provider.
The skill discloses that document parsing is performed through an external cloud API. That is purpose-aligned, but document images/PDFs may contain sensitive information.
Invokes the GLM-OCR SDK (pip install glmocr) to parse documents via Zhipu's cloud API.
Use this skill only for documents you are allowed to send to Zhipu, and redact or avoid highly sensitive files unless the provider terms meet your requirements.