universal-pdf-vision-parser
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a coherent PDF-to-Markdown vision parser, but it sends PDF page images to DashScope/Qwen and needs careful API-key and package handling.
Install only if you are comfortable sending the selected PDF pages to DashScope/Qwen for cloud processing. Use a protected API key, avoid putting secrets directly in command history when possible, and install the Python dependencies in an isolated environment with pinned versions if you need stronger reproducibility.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private or sensitive PDF contents may be processed by Alibaba Cloud DashScope/Qwen.
The script embeds rendered PDF page images as base64 data and sends them to DashScope's Qwen-VL-Max API. This is the intended operation, but it means document contents leave the local machine.
{"image": f"data:image/png;base64,{base64_image}"}, ... MultiModalConversation.call(model='qwen-vl-max', messages=messages)Only process documents that are allowed to be shared with that provider, and review the provider's privacy, retention, and compliance terms before use.
A DashScope key grants access to the user's provider account and may be exposed if pasted into shell history or visible process lists.
The skill uses a provider API key, which is expected for Qwen-VL-Max access. Users should still treat the key as sensitive, especially because SKILL.md demonstrates passing it on the command line and metadata does not declare a primary credential.
parser.add_argument("--api-key", required=False, help="DashScope API Key")Prefer using the DASHSCOPE_API_KEY environment variable or another secret manager, use a least-privilege key if available, and rotate the key if it may have been exposed.
Future dependency versions could change behavior or introduce vulnerabilities.
The setup instructions install unpinned Python packages from the package index. These dependencies are expected for PDF rendering and DashScope access, but versions and provenance are not fixed.
pip install pymupdf dashscope
Install in a virtual environment and consider pinning reviewed versions of pymupdf and dashscope.