wps-ocr
ReviewAudited by ClawScan on May 1, 2026.
Overview
This OCR skill clearly discloses that it sends user-provided files to WPS/Kingsoft cloud for recognition and uses an API key; no hidden, destructive, or purpose-mismatched behavior is evidenced.
Before installing, make sure you are comfortable sending OCR files to aiwrite.wps.cn, configure the WPS_OCR_ACCESS_KEY securely, and only run the local-file mode on files you explicitly intend to upload.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Documents, screenshots, invoices, or photos submitted for OCR may be visible to and processed by Kingsoft/WPS cloud services.
The skill explicitly discloses that user-provided files are sent to an external OCR provider, so the data flow is purpose-aligned but privacy-sensitive.
This skill will send the file you provide to the official Kingsoft Office server (aiwrite.wps.cn) for recognition. ... Kingsoft Office services will access and process the content of your file.
Use it only for files you are comfortable sending to the WPS OCR service, and avoid submitting sensitive documents unless that is intended and acceptable.
Anyone with access to the configured environment file or process environment could potentially use the OCR API key.
The skill requires a WPS OCR access key and documents an optional persistent environment-file setup for that credential.
export WPS_OCR_ACCESS_KEY="your_client_access_key" ... echo 'export WPS_OCR_ACCESS_KEY="your_client_access_key"' >> ~/.openclaw/env
Store the key only in trusted environments, protect ~/.openclaw/env permissions, and rotate the key if it may have been exposed.
If pointed at the wrong local image or PDF, the skill could upload unintended local file contents to the OCR provider.
The local-file mode is disclosed and central to OCR, but it means the agent should only use explicit user-provided paths and not infer or explore local paths.
This skill supports local file uploads, and will only verify the file type without performing any verification on the path.
Confirm the exact file path before use, especially for private directories or sensitive PDFs/images.
Installation tooling may not automatically flag the dependency or credential requirement before use.
The registry-level contract under-declares setup requirements that SKILL.md documents, including the requests package and WPS_OCR_ACCESS_KEY.
Required env vars: none ... Install specifications: No install spec — this is an instruction-only skill.
Review SKILL.md setup instructions before running and ensure only the documented dependency and credential are configured.