百度文档解析vlm-parser
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it says—parse user-provided documents through Baidu's PaddleOCR-VL API—but users should notice that documents and parsed results leave the local environment and Baidu credentials are required.
This skill is reasonable to install if you are comfortable using Baidu's cloud API for document parsing. Use dedicated Baidu credentials, monitor quota or billing, do not submit documents you are not allowed to share with Baidu, and treat returned result URLs as sensitive.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can use the configured Baidu account key and quota when parsing documents.
The registry metadata under-declares the credential requirement even though SKILL.md instructs users to configure BAIDU_DOC_AI_API_KEY and BAIDU_DOC_AI_SECRET_KEY for the stated Baidu API integration.
Required env vars: none ... Primary credential: none
Use a dedicated Baidu API application/key, store the secret securely, monitor quota or billing, and avoid passing secrets on the command line where possible. The publisher should declare these credentials in metadata.
Documents, images, or document URLs selected for parsing may be processed outside the local environment by Baidu.
The documentation discloses that document contents or a document URL are submitted to Baidu's external API, which is central to the skill's purpose but sensitive for private documents.
`file_data` ... 文件 Base64 编码数据 ... 请求 URL: `https://aip.baidubce.com/rest/2.0/brain/online/v2/paddle-vl-parser/task?access_token={token}`Only use this skill for documents you are allowed to send to Baidu's service, and review Baidu's data handling terms before parsing confidential or regulated files.
Anyone with access to returned result URLs may be able to view parsed document output while the links remain valid.
The skill documents that parsed output links are provider-hosted and remain valid for 30 days, meaning parsed content may persist outside the local session.
`result.markdown_url` ... 有效期 30 天 ... `result.parse_result_url` ... 有效期 30 天
Treat returned result links as sensitive, avoid sharing them unnecessarily, and check provider options if you need earlier deletion or stricter retention.