ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alicloud Ai Text Document Mind

Use Document Mind (DocMind) via Node.js SDK to submit document parsing jobs and poll results. Designed for Claude Code/Codex document understanding workflows.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 1k · 3 current installs · 3 all-time installs
by@cinience
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name and description match the code and SKILL.md: it submits and polls DocMind jobs. However, the published registry metadata declares no required environment variables or primary credential even though both SKILL.md and scripts use Alibaba Cloud credentials (ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET and optionally ALICLOUD_REGION_ID). This mismatch between claimed requirements and what the code actually needs is a notable inconsistency.
Instruction Scope
Runtime instructions are mostly scoped to submitting jobs, polling results, and saving outputs (expected for a document-parsing provider). But there are small inconsistencies: SKILL.md shows constructing the endpoint dynamically using regionId, but scripts/quickstart.js hardcodes the endpoint to 'docmind-api.cn-hangzhou.aliyuncs.com' (ignoring regionId). The validation step runs a py_compile loop over *.py files (this repo contains only JS), which is irrelevant and suggests sloppy packaging. Otherwise the instructions do not attempt to read unrelated system files or exfiltrate data beyond normal API calls.
Install Mechanism
There is no install spec (instruction-only), which is lower risk. The SKILL.md instructs users to npm install specific @alicloud packages — this is expected for a Node.js SDK client. Because installation is manual (no automatic arbitrary URL downloads), install risk is moderate but typical for SDK-based skills. Verify the npm package publishers before installation.
!
Credentials
The code and SKILL.md require Alibaba Cloud credentials (access key ID/secret and optional region). The skill metadata, however, lists no required env vars or primary credential. This omission is significant: users may not realize they must provide cloud credentials, and the skill will read the credential provider chain at runtime. Also note the script reads DOCMIND_FILE_URL and will POST/GET network resources and write output files — those behaviors are proportional to the purpose but users should be explicit about what credentials and files they supply.
Persistence & Privilege
The skill does not request permanent 'always' inclusion, does not declare elevated platform privileges, and does not modify other skills' configurations. It only writes artifacts to its own output directory as instructed in SKILL.md, which is expected for evidence and result storage.
What to consider before installing
This skill appears to be a DocMind client, but the package metadata is incomplete and some instructions are inconsistent. Before installing or running it: - Do not provide long-lived root Alibaba credentials blindly. Use least-privilege keys or temporary STS tokens. - Expect the code to read credentials from the environment or the SDK credential chain (ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET and optional ALICLOUD_REGION_ID). The registry metadata should be updated to declare these — treat the current omission as a packaging bug. - Review the npm packages (@alicloud/docmind-api20220711, @alicloud/credentials, @alicloud/tea-util) on the npm registry to confirm publisher authenticity. - Note the quickstart script hardcodes the cn-hangzhou endpoint even though SKILL.md suggests using regionId; confirm endpoint behavior if you need another region. - The script will upload or request files by URL and write results to local output/ directories. Do not submit sensitive documents to publicly-hosted URLs unless you intend to make them public. - Because SKILL.md contains an unrelated Python validation step, inspect the repository locally and run the code in an isolated environment (or review the code) before supplying credentials or production data. If the author fixes the metadata to declare required env vars and removes the irrelevant validation step (or documents it), confidence in the package would increase.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.2
Download zip
latestvk972w1srajg6mambwd6efj5dc582qktm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Category: provider

Document Mind (DocMind) — Node.js SDK

Use DocMind to extract document structure, text, and layout with async jobs.

Prerequisites

  • Install SDKs:
    • npm install @alicloud/docmind-api20220711 @alicloud/tea-util @alicloud/credentials
  • Provide credentials via standard Alibaba Cloud env vars:
    • ALICLOUD_ACCESS_KEY_ID
    • ALICLOUD_ACCESS_KEY_SECRET
    • ALICLOUD_REGION_ID (optional default; if unset, choose the most reasonable region for the task or ask the user)

Quickstart (submit + poll)

const Client = require('@alicloud/docmind-api20220711');
const Credential = require('@alicloud/credentials');
const Util = require('@alicloud/tea-util');

const cred = new Credential.default();
const regionId = process.env.ALICLOUD_REGION_ID || 'cn-hangzhou'; // Example default; choose/ask if unset.
const client = new Client.default({
  endpoint: `docmind-api.${regionId}.aliyuncs.com`,
  accessKeyId: cred.credential.accessKeyId,
  accessKeySecret: cred.credential.accessKeySecret,
  type: 'access_key',
  regionId,
});

async function submitByUrl(fileUrl, fileName) {
  const req = new Client.SubmitDocStructureJobRequest();
  req.fileUrl = fileUrl;
  req.fileName = fileName;
  const resp = await client.submitDocStructureJob(req);
  return resp.body.data.id;
}

async function pollResult(jobId) {
  const req = new Client.GetDocStructureResultRequest();
  req.id = jobId;
  const resp = await client.getDocStructureResult(req);
  return resp.body;
}

(async () => {
  const jobId = await submitByUrl('https://example.com/example.pdf', 'example.pdf');
  console.log('jobId:', jobId);

  // Poll every 10s until completed.
  for (;;) {
    const result = await pollResult(jobId);
    if (result.completed) {
      console.log(result.status, result.data || result.message);
      break;
    }
    await new Promise((r) => setTimeout(r, 10000));
  }
})();

Script quickstart

DOCMIND_FILE_URL="https://example.com/example.pdf" \\
node skills/ai/text/alicloud-ai-text-document-mind/scripts/quickstart.js

Environment variables:

  • DOCMIND_FILE_URL
  • DOCMIND_FILE_NAME (optional)
  • DOCMIND_POLL_INTERVAL_MS (optional, default 10000)
  • DOCMIND_MAX_POLLS (optional, default 120)

Local file upload

const fs = require('fs');
const advanceReq = new Client.SubmitDocStructureJobAdvanceRequest();
advanceReq.fileUrlObject = fs.createReadStream('./example.pdf');
advanceReq.fileName = 'example.pdf';
const runtime = new Util.RuntimeOptions({});
const resp = await client.submitDocStructureJobAdvance(advanceReq, runtime);

Notes for Claude Code/Codex

  • DocMind is async: submit a job, then poll until completed=true.
  • Poll every ~10s; max processing window is 120 minutes.
  • Keep files publicly accessible when using URL submission.

Error handling

  • UrlNotLegal: URL not publicly accessible or malformed.
  • DocProcessing: job still running; keep polling.
  • Fail: check message and error code for root cause.

Validation

mkdir -p output/alicloud-ai-text-document-mind
for f in skills/ai/text/alicloud-ai-text-document-mind/scripts/*.py; do
  python3 -m py_compile "$f"
done
echo "py_compile_ok" > output/alicloud-ai-text-document-mind/validate.txt

Pass criteria: command exits 0 and output/alicloud-ai-text-document-mind/validate.txt is generated.

Output And Evidence

  • Save artifacts, command outputs, and API response summaries under output/alicloud-ai-text-document-mind/.
  • Include key parameters (region/resource id/time range) in evidence files for reproducibility.

Workflow

  1. Confirm user intent, region, identifiers, and whether the operation is read-only or mutating.
  2. Run one minimal read-only query first to verify connectivity and permissions.
  3. Execute the target operation with explicit parameters and bounded scope.
  4. Verify results and save output/evidence files.

References

  • DocMind Node.js SDK: @alicloud/docmind-api20220711

  • Source list: references/sources.md

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…