ClawHub
Back to skill
v0.4.0

Doc To Text

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:28 AM.

Analysis

This skill is purpose-aligned for converting Word documents to readable text, but users should trust the MinerU CLI/provider and protect any MinerU token and private documents.

GuidanceBefore installing, verify that mineru-open-api is the official MinerU CLI, keep MINERU_TOKEN private, and only process documents whose contents you are comfortable handling through MinerU.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
npm install -g mineru-open-api
# or via Go (macOS/Linux):
go install github.com/opendatalab/MinerU-Ecosystem/cli/mineru-open-api@latest

The skill depends on installing an external global CLI package, and the Go command tracks the latest version rather than a pinned release. This is central to the skill, but users should trust the package source.

User impactInstalling the CLI gives that external package code execution on the user's machine during installation/use.
RecommendationInstall only from the official MinerU source, consider pinning or reviewing the package version where possible, and use a normal user account rather than elevated privileges.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
Token required for `.doc` and `extract`:

mineru-open-api auth             # Interactive token setup
export MINERU_TOKEN="your-token"

The skill requires a MinerU token for some modes. This is expected for a MinerU API-based extraction workflow, but it is still account credential material.

User impactAnyone with access to the token may be able to use the associated MinerU account/API quota or permissions.
RecommendationTreat MINERU_TOKEN as secret, avoid pasting it into shared logs or chats, and rotate it if it may have been exposed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceMediumStatusNote
SKILL.md
Supported input: .doc, .docx (local file or URL)
... Token required for `.doc` and `extract`

The skill processes local files or URLs through the MinerU CLI/API flow, with token-backed extraction for some modes. The artifacts do not provide detailed privacy or retention boundaries for document content.

User impactPrivate or sensitive Word documents may be handled by the MinerU tool/service during extraction, depending on the command used.
RecommendationUse this skill only with documents you are comfortable processing through MinerU, and review MinerU's privacy/data-handling terms for confidential files.