ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Doc Parse

v0.4.0

Parse and extract structured content from Word documents (.doc, .docx) into well-organized Markdown using MinerU. Preserves the full document hierarchy: head...

0· 193·0 current·0 all-time
by@mzlzyca
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the declared requirements: the skill uses the mineru-open-api CLI to parse .doc/.docx into Markdown. Requesting the mineru-open-api binary and a MINERU_TOKEN is consistent with a cloud-backed CLI. However, SKILL.md explicitly says 'flash-extract' for .docx requires no token while the registry metadata lists MINERU_TOKEN as a required env var/primary credential — this is an internal inconsistency.
Instruction Scope
SKILL.md instructs only running the mineru-open-api CLI on local files or URLs and how to set MINERU_TOKEN. It does not direct reading unrelated system files, scanning shell history, or exfiltrating data to unexpected endpoints. The instructions do not clarify whether processing happens locally or via MinerU's API; that ambiguity is important for privacy but not a scope creep in itself.
Install Mechanism
Install options are standard: an npm package 'mineru-open-api' and a Go 'github.com/opendatalab/...' install path (GitHub). These are expected for a CLI authored by the MinerU project. No arbitrary binary downloads or obscure URLs are present in the install spec.
Credentials
Requesting MINERU_TOKEN as the primary credential is reasonable for an API-backed CLI and required for some operations (.doc extract). But marking MINERU_TOKEN as globally required conflicts with SKILL.md which says quick .docx 'flash-extract' requires no token. Also the skill does not declare additional unrelated credentials, which is good.
Persistence & Privilege
always:false (default) and autonomous invocation allowed (platform default). The skill does not request persistent system-wide privileges or modification of other skills/configuration in the provided instructions.
What to consider before installing
This skill appears to do what it says (wrap the MinerU CLI to parse .doc/.docx), but there are two things to check before installing: (1) credential discrepancy — the registry metadata marks MINERU_TOKEN as required, yet SKILL.md says flash-extract for .docx works without a token; verify whether you can use quick parsing without providing a token. (2) data handling/privacy — the CLI likely communicates with MinerU's service (mineru.net) for at least some operations; confirm whether document content is uploaded, how long it's retained, and whether that is acceptable for your documents. Also confirm the npm package and GitHub repo are the official MinerU releases (inspect the mineru-open-api source) and only provide a token with minimal necessary scope. If you need higher assurance, run the CLI in a sandbox or review the open-source repo and network calls before sending sensitive documents.

Like a lobster shell, security has layers — review code before you run it.

latestvk979s5cknats9epvjve1yqqkhs844dmm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📄 Clawdis
Binsmineru-open-api
EnvMINERU_TOKEN
Primary envMINERU_TOKEN

Install

Install via npm
Bins: mineru-open-api
npm i -g mineru-open-api
Install via go install
Bins: mineru-open-api

Comments