Back to skill
Skillv1.0.0
ClawScan security
OCR Space: Free OCR API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 10, 2026, 9:34 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its stated purpose (calling OCR.space with the free test key); nothing requests unrelated credentials or installs arbitrary code, though it does rely on Python packages that are not declared and it uploads user images to a third-party API.
- Guidance
- This skill appears to do what it says: it reads images and uploads them to OCR.space using the free test key. Before installing, consider: (1) it will transmit image data to a third-party server — don't send sensitive images unless you accept that. (2) You need Python packages 'requests' and 'Pillow' installed; SKILL.md doesn't list them, so install them (pip install requests pillow) or run the script in a controlled environment. (3) If you plan to use a paid API key, remove the hardcoded 'helloworld' and provide your key securely (avoid committing it into the file). (4) Test the script locally to confirm behavior and network calls before allowing any agent to invoke it autonomously.
Review Dimensions
- Purpose & Capability
- okName/description match implementation: the script posts images to https://api.ocr.space/parse/image using the free test key ('helloworld') and returns parsed text. No unrelated services, binaries, or credentials are requested.
- Instruction Scope
- okSKILL.md and the script confine actions to reading the provided image path (or accepting base64), optionally compressing it, and POSTing it to the OCR.space API. There are no instructions to read other system files, environment secrets, or to exfiltrate data to unexpected endpoints.
- Install Mechanism
- noteNo install spec (instruction-only) and no network downloads, which is low risk. However the included Python script requires third-party packages ('requests' and Pillow) that are not declared in the metadata or SKILL.md; the skill will fail or raise import errors unless those are installed.
- Credentials
- noteNo environment variables or credentials are required. The script hardcodes API_KEY='helloworld' (the documented free test key) which matches the SKILL.md. If a user wants to use a private paid key they would need to change the script or add a mechanism to supply it.
- Persistence & Privilege
- okSkill is not always-enabled, does not request persistent platform-wide privileges, and does not modify other skills or global agent settings.