ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aliyun Qwen Ocr

v1.0.0

Use when OCR-specialized extraction is needed with Alibaba Cloud Model Studio Qwen OCR models (`qwen-vl-ocr`, `qwen-vl-ocr-latest`, and snapshots), including...

0· 10·0 current·0 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Qwen OCR helper) matches the included artifacts: SKILL.md, API reference, and a small Python script that prepares OCR request payloads. Requiring an Alibaba Cloud Dashscope API key is consistent with calling Model Studio endpoints. However, the skill metadata declares no required environment variables while the SKILL.md explicitly asks the user to set DASHSCOPE_API_KEY or add dashscope_api_key to ~/.alibabacloud/credentials — an incoherence in declared requirements.
Instruction Scope
Runtime instructions are narrowly scoped: validate the Python file compiles, generate and save a normalized request payload to output/aliyun-qwen-ocr/request.json, and keep run metadata. The SKILL.md tells the agent how to format requests and which models/tasks to use. It does not instruct the agent to read unrelated system files or exfiltrate data. The only notable instruction beyond payload prep is to supply a DASHSCOPE_API_KEY (see environment_proportionality).
Install Mechanism
There is no install spec and the skill is instruction-only plus a small helper script — nothing is downloaded or written during install. This is low-risk from an install perspective.
!
Credentials
The SKILL.md requires DASHSCOPE_API_KEY (or a dashscope_api_key entry in ~/.alibabacloud/credentials) to call Alibaba endpoints, which is reasonable for the stated purpose. However, the registry metadata lists no required environment variables or primary credential — this mismatch is concerning because a user may not realize an API key is needed or that the skill expects it. Additionally, the SKILL.md recommends installing the 'requests' package, but the included Python script does not import or use requests (the script only constructs JSON payloads). These inconsistencies should be resolved so users understand what secrets and dependencies are actually required.
Persistence & Privilege
The skill does not request persistent or elevated platform privileges. always is false and disable-model-invocation is false (normal). The skill writes only to its own output directory and does not modify other skills or system-wide configs.
What to consider before installing
This skill is basically a small helper that builds Qwen OCR request JSON; it does not itself send requests. Before installing, ask the publisher to fix two things: (1) declare DASHSCOPE_API_KEY (or equivalent) in the skill metadata if the skill expects an API key, and (2) remove or justify the 'requests' dependency note (the included script does not use requests). If you do provide an API key, treat it like any cloud credential: limit its permissions, store it securely (not in shared shells), and audit usage. If you don't trust the publisher, inspect or run the prepare_ocr_request.py locally in a sandbox and avoid giving the API key until metadata is corrected.

Like a lobster shell, security has layers — review code before you run it.

latestvk977zpy9mrn748azgcn9rz0aps841rhe

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Category: provider

Model Studio Qwen OCR

Validation

mkdir -p output/aliyun-qwen-ocr
python -m py_compile skills/ai/multimodal/aliyun-qwen-ocr/scripts/prepare_ocr_request.py && echo "py_compile_ok" > output/aliyun-qwen-ocr/validate.txt

Pass criteria: command exits 0 and output/aliyun-qwen-ocr/validate.txt is generated.

Output And Evidence

  • Save request payloads, selected OCR task name, and normalized output expectations under output/aliyun-qwen-ocr/.
  • Keep the exact model, image source, and task configuration with each saved run.

Use Qwen OCR when the task is primarily text extraction or document structure parsing rather than broad visual reasoning.

Critical model names

Use one of these exact model strings:

  • qwen-vl-ocr
  • qwen-vl-ocr-latest
  • qwen-vl-ocr-2025-11-20
  • qwen-vl-ocr-2025-08-28
  • qwen-vl-ocr-2025-04-13
  • qwen-vl-ocr-2024-10-28

Selection guidance:

  • Use qwen-vl-ocr for the stable channel.
  • Use qwen-vl-ocr-latest only when you explicitly want the newest OCR behavior.
  • Pin qwen-vl-ocr-2025-11-20 when you need reproducible document parsing based on the Qwen3-VL OCR upgrade.

Prerequisites

  • Install dependencies (recommended in a venv):
python3 -m venv .venv
. .venv/bin/activate
python -m pip install requests
  • Set DASHSCOPE_API_KEY in environment, or add dashscope_api_key to ~/.alibabacloud/credentials.

Normalized interface (ocr.extract)

Request

  • image (string, required): HTTPS URL, local path, or data: URL.
  • model (string, optional): default qwen-vl-ocr.
  • prompt (string, optional): use when you want custom extraction instructions.
  • task (string, optional): built-in OCR task.
  • task_config (object, optional): configuration for built-in task such as extraction fields.
  • enable_rotate (bool, optional): default false.
  • min_pixels (int, optional)
  • max_pixels (int, optional)
  • max_tokens (int, optional)
  • temperature (float, optional): recommended to keep near default/low values.

Response

  • text (string): extracted text or structured markdown/html-style output.
  • model (string)
  • usage (object, optional)

Built-in OCR tasks

Use one of these values in task:

  • text_recognition
  • key_information_extraction
  • document_parsing
  • table_parsing
  • formula_recognition
  • multi_lan
  • advanced_recognition

Quick start

Custom prompt:

python skills/ai/multimodal/aliyun-qwen-ocr/scripts/prepare_ocr_request.py \
  --image "https://example.com/invoice.png" \
  --prompt "Extract seller name, invoice date, amount, and tax number in JSON."

Built-in task:

python skills/ai/multimodal/aliyun-qwen-ocr/scripts/prepare_ocr_request.py \
  --image "https://example.com/table.png" \
  --task table_parsing \
  --model qwen-vl-ocr-2025-11-20

Operational guidance

  • Prefer built-in OCR tasks for standard parsing jobs because they use official task prompts.
  • For critical business fields, add downstream validation rules after OCR.
  • qwen-vl-ocr and older snapshots default to 4096 max output tokens unless higher limits are approved by Alibaba Cloud; qwen-vl-ocr-2025-11-20 follows the model maximum.
  • Increase max_pixels only when small text is missed; this raises token cost.

Output location

  • Default output: output/aliyun-qwen-ocr/request.json
  • Override base dir with OUTPUT_DIR.

References

  • references/api_reference.md
  • references/sources.md

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…