ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MinerU zero-setup document extraction — convert PDFs, images, Word, and PowerPoint to Markdown instantly. No login, no token, no configuration. Just run and get results

v0.2.1

MinerU fast extract — zero-setup, instant document extraction. Convert PDFs, images, Word (DOCX), and PowerPoint (PPTX) to Markdown with no login, no token,...

0· 135·2 current·2 all-time
by@mineru-extract
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the requested artifact: the skill only requires a single CLI binary (mineru-open-api) and its CLI commands in SKILL.md correspond to document extraction (PDF/Word/PPT/Image → Markdown). Requiring a mineru-open-api binary is coherent with the stated purpose.
!
Instruction Scope
Runtime instructions only tell the agent to invoke mineru-open-api flash-extract on local files or URLs. The SKILL.md does not disclose whether the CLI does all processing locally or uploads files to mineru.net or other remote services. The ability to pass remote URLs and the lack of any network/disclosure text is a scope concern because it affects confidentiality of documents the user provides.
Install Mechanism
Installers are npm (public registry) and go install from a GitHub module — these are common and traceable install routes. However, installing an npm package or a Go binary executes third‑party code on disk; that is expected but carries moderate risk. No direct downloads from unknown servers or URL shorteners were used.
!
Credentials
The skill declares no environment variables or credentials (which is consistent with 'no token' messaging). However, because the SKILL.md omits whether the CLI performs remote calls, there is an implicit risk that sensitive documents could be transmitted off‑device without requiring a token. The absence of any declared network endpoint or privacy statement is a proportionality/clarity concern.
Persistence & Privilege
The skill is not always: true, does not request persistent system configuration or other skills' configs, and only uses a single CLI tool — no elevated presence or special privileges are requested.
What to consider before installing
This skill appears to be a thin wrapper around a third‑party CLI (mineru-open-api). Before installing or using it on sensitive documents: 1) Inspect the mineru-open-api package and the referenced GitHub repo (check maintainers, recent commits, license, and whether processing is local). 2) Prefer running the CLI in a sandbox/container or on a throwaway VM for initial tests. 3) Test with non‑sensitive documents to observe network activity (e.g., monitor DNS/HTTP) to confirm whether files are uploaded. 4) If you need on‑device-only processing, verify the implementation explicitly states local processing or choose a well‑audited open‑source tool. If you cannot verify the binary's behavior, avoid using it with private or confidential documents.

Like a lobster shell, security has layers — review code before you run it.

latestvk9709vj1t5mgqa9vrc7ex7w03d84dmyh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
Binsmineru-open-api

Install

Install via npm
Bins: mineru-open-api
npm i -g mineru-open-api
Install via go install
Bins: mineru-open-api

Comments