mineru document extractor
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a legitimate document extraction skill, but it uploads documents to MinerU and installs an external CLI, so users should verify trust and privacy before use.
Before installing, confirm that mineru-open-api is the official package you intend to trust. Do not upload confidential documents or private/internal URLs unless MinerU's privacy terms and your organization's policies allow it. If you use authenticated extraction, protect and periodically rotate the MinerU token.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private PDFs, images, Office files, or web content submitted for extraction may be sent to MinerU's servers.
The skill clearly discloses that documents are processed by an external provider API, which is expected for this cloud extraction workflow but means user files leave the local environment.
Document content is transmitted to the MinerU API (mineru.net) for server-side extraction.
Only submit documents and URLs you are allowed to share with MinerU, and verify MinerU's privacy and retention terms for confidential or regulated content.
A MinerU token may grant access to the user's MinerU account or quota for higher-limit extraction and crawling.
The skill may use an API token from a command-line flag, environment variable, or local config file for authenticated MinerU operations.
mineru-open-api auth ... export MINERU_TOKEN="your-token" ... Token resolution order: `--token` flag > `MINERU_TOKEN` env > `~/.mineru/config.yaml`.
Use a dedicated or least-privileged token if available, keep it out of shared logs, and revoke or rotate it if it may have been exposed.
The behavior ultimately depends on the external mineru-open-api package version installed on the user's machine.
The skill relies on installing an external CLI package, and the Go example uses '@latest' rather than a pinned version. This is purpose-aligned but leaves package provenance and future changes outside the reviewed artifacts.
npm install -g mineru-open-api ... go install github.com/opendatalab/MinerU-Ecosystem/cli/mineru-open-api@latest
Install from the official package/source, consider pinning a known version, and review the upstream project before using it on sensitive documents.