Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
laiye-doc-processing
v1.3.0Enterprise-grade agentic document processing API. Accurately extracts key fields and line items from invoices, receipts, orders and more across 10+ file form...
⭐ 4· 389·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The described purpose (document extraction via Laiye ADP) matches the instructions and README which require ADP_ACCESS_KEY, ADP_APP_KEY, and ADP_APP_SECRET and call https://adp-global.laiye.com endpoints. However the registry metadata that accompanied the skill (the skill manifest shown in the registry) claims no required environment variables or primary credential — that is inconsistent with the SKILL.md/package README and could be an authoring or packaging error.
Instruction Scope
The SKILL.md gives explicit curl examples that upload file URLs or base64-encoded documents and include tenant/app credentials in headers/body. All runtime actions (HTTP POST to adp-global.laiye.com, file_base64 / file_url use) are coherent with a document-processing service. Important: these instructions will transmit potentially sensitive documents and secrets to a third-party endpoint — this is expected for a hosted OCR/extraction service but is a privacy/security consideration the user must accept.
Install Mechanism
Instruction-only skill with no install spec or code files to install. This is low-risk from an installation/execution perspective (nothing will be downloaded or written by the skill itself).
Credentials
The three environment variables referenced in SKILL.md (ADP_ACCESS_KEY, ADP_APP_KEY, ADP_APP_SECRET) are reasonable and proportional for an external SaaS API. The concern is that the registry metadata provided with the skill does not declare these required secrets, which could lead to silent or confusing credential requests at runtime or mismatch in permission prompts. Also, supplying these secrets enables the skill to call the remote API and transmit documents — treat them as highly sensitive and use least-privilege/scoped keys when possible.
Persistence & Privilege
The skill is not always-enabled, does not include an installer, and does not request system-level config paths beyond recommendations for storing credentials. It does not request persistent privileges in the agent platform.
What to consider before installing
Before installing: 1) Verify the provider and domain (adp-global.laiye.com) and confirm the GitHub repo/contact emails are legitimate; check the referenced docs and repo links. 2) Ask the skill publisher or marketplace to correct the registry metadata so required env vars (ADP_ACCESS_KEY, ADP_APP_KEY, ADP_APP_SECRET) are declared — the current mismatch is suspicious. 3) Understand that using the skill will send full documents (and any embedded sensitive data) to the external Laiye service; ensure this matches your privacy/compliance needs. 4) Do not paste production secrets; create scoped/test keys and test with non-sensitive documents first. 5) Prefer secret management (platform secret store) and rotate keys after testing. 6) If you need an on-prem/self-hosted option, ask the vendor for an enterprise/private deployment. If you cannot validate the publisher or metadata, refrain from installing or providing credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk972d8nh1am6qmj2qyd1s8ycmn82k57w
License
MIT-0
Free to use, modify, and redistribute. No attribution required.