ClawHub

Online Deepseek-OCR

v1.0.2

Perform cloud-based OCR on PNG, JPG, JPEG, and WEBP images using SiliconFlow's DeepSeek-OCR with automatic image preprocessing for enhanced recognition.

0· 70·0 current·0 all-time
byqwq2023@qwq2023qwq
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill advertises cloud OCR using SiliconFlow and the code reads a local config.json apiKey and posts images (or image data URIs) to SiliconFlow's API endpoint. Required dependencies (requests, Pillow, numpy) match the described preprocessing and HTTP calls. No unrelated credentials, binaries, or system paths are requested.
!
Instruction Scope
SKILL.md and the code instruct the user to place an API key in a local config.json and to pass either local image paths or arbitrary image URLs. Passing arbitrary URLs will cause the third-party API to fetch those URLs (the code forwards the URL to SiliconFlow). This can leak access to internal-only resources (SSRF risk) or disclose sensitive internal URLs/contents to the external service. The instructions also direct storing the API key on disk in plaintext (config.json).
Install Mechanism
There is no automatic install script; dependencies are a small pip requirements.txt (requests, Pillow, numpy) which is proportionate to image preprocessing and HTTP calls. No downloads from untrusted URLs or extract/install steps are present.
Credentials
No environment variables or unrelated credentials are requested. The skill requires a local config.json containing apiKey and baseUrl. Storing the API key in a plaintext file in the skill directory is functional but has privacy/operational trade-offs (risk of accidental commit or other local access). The baseUrl is configurable in config.json; if modified to a malicious host it could capture images and the apiKey.
Persistence & Privilege
The skill is user-invocable, not always-enabled, and does not request elevated platform privileges or modify other skills. It only persists the user-provided config.json in its own directory.
Assessment
This skill appears to do what it says (call SiliconFlow DeepSeek-OCR with local preprocessing). Before installing, consider: - Keep your SiliconFlow API key private: config.json stores it in plaintext in the skill directory — avoid committing that file to source control and protect the filesystem location. - Verify the baseUrl in config.json is the legitimate SiliconFlow endpoint (https://api.siliconflow.cn/v1). An attacker-controlled baseUrl could capture your images and key. - Be careful when passing image URLs: if you provide internal or sensitive URLs (e.g., 169.254.169.254 or internal hostnames), those will be fetched by the external API and could leak sensitive data (SSRF/data-exfiltration risk). Prefer local files when possible. - Review the SiliconFlow service terms and privacy policy before sending sensitive images to a third party. - The pip dependencies are normal; run dependency installation in a controlled environment (virtualenv) if you have security concerns. If you want stronger secrecy, consider modifying the code to read the API key from a protected environment variable or a secure secrets store rather than a plaintext file.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ba1406e946fv7qegryh71c983qk35

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments