paddleocr-vl-locally

Things to check before installing or running this skill: - Confirm environment variables: the registry lists only PADDLEOCR_DOC_PARSING_API_URL, but the code can also read PADDLEOCR_ACCESS_TOKEN, PADDLEOCR_BASIC_AUTH_USER, PADDLEOCR_BASIC_AUTH_PASSWORD, and PADDLEOCR_DOC_PARSING_TIMEOUT. If you will provide tokens/passwords, treat them as sensitive and verify the skill truly needs them. - Understand data exposure: the SKILL.md mandates showing the COMPLETE extracted content (all text, tables, formulas). If you plan to parse sensitive documents, this behavior can leak secrets or private information. Consider whether you want the agent to automatically reveal full outputs or prefer truncation/summarization/approval steps. - File persistence: results are saved by default under the system temp directory. Decide if that is acceptable; if not, use --stdout or a secure output path and remove temp files after processing. - Inspect and test locally: because the skill is script-based (no automatic install), review the included scripts (vl_caller.py, lib.py) and run smoke_test.py (or --skip-api-test) in a controlled environment. The socket/URL you configure for PADDLEOCR_DOC_PARSING_API_URL should be trusted (local or internal endpoint preferred). - Operational advice: restrict the API URL to an internal host if possible, rotate tokens used by the skill, and avoid enabling this skill for autonomous runs against sensitive data until you are comfortable with its behavior. If you want higher assurance, ask the author to: (1) list all environment variables in the skill metadata, (2) make the 'display full content' behavior opt-in, and (3) add an option to avoid writing results to disk by default.