free-ocr-zc
AdvisoryAudited by Static analysis on May 4, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can make authenticated OpenRouter requests using the user's API key, potentially consuming quota or credits.
The script reads an OpenRouter API key from a local secrets file or environment variable. This is expected for the stated OpenRouter integration, but the registry requirements list no required environment variables or primary credential.
secrets_path = r"C:\Users\Administrator\.openclaw\secrets\openrouter.env" ... return os.getenv("OPENROUTER_API_KEY")Use a limited or dedicated OpenRouter key if possible, store it only in a secure secrets location, and update the skill metadata to declare OPENROUTER_API_KEY.
Images processed with this skill may leave the local machine and be handled by OpenRouter and the selected model provider.
The skill transmits the selected image to OpenRouter for OCR. This is disclosed and central to the skill, but it may include private image contents.
It sends a multimodal request containing: ... The image (encoded as base64 if local, or passed directly if URL)
Only run it on images you are comfortable sending to OpenRouter, and review the provider's data handling terms for sensitive documents.
Running the primary script may send the image twice and may output non-text image details, with possible extra latency or API usage.
The documented command uses ocr.py, which performs an additional image-description API call before OCR. This is related to image analysis but broader than strict text extraction.
description_prompt = "请详细描述这张图片的内容,包括物体、场景、颜色等细节。" ... description = analyze_image(client, image_input, description_prompt)
Disclose the description step clearly, remove it if OCR-only behavior is intended, or direct users to an OCR-only script such as ocr_final.py/ocr_fixed.py.
Users may install whatever versions are current at install time, which can affect reproducibility and supply-chain risk.
The setup relies on manual installation of unpinned PyPI dependencies. This is normal for this type of Python API wrapper, but it lacks version pinning or a lockfile in the provided artifacts.
Required packages: `openai`, `requests` (install via `pip install openai requests`)
Install in a virtual environment and consider pinning known-good versions of openai and requests.