ClawHub

Nanonets OCR

v1.0.2

Document extraction API by Nanonets. Convert PDFs and images to markdown, JSON, or CSV with confidence scoring. Use when you need to OCR documents, extract invoice fields, parse receipts, or convert tables to structured data.

21· 3.7k·28 current·29 all-time
by@shhdwi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill's name and SKILL.md describe an OCR/document-extraction service and all runtime examples call an external extraction API — requiring an API key for that service is expected. Minor inconsistency: registry metadata at the top reports no required env vars, but the included package.json and SKILL.md clearly request DOCSTRANGE_API_KEY.
Instruction Scope
SKILL.md contains explicit curl examples and configuration guidance limited to sending documents to the documented extraction endpoints and storing an API key. It does not instruct the agent to read unrelated files, system secrets, or exfiltrate data to unknown endpoints. Note: the documented behavior necessarily transmits document content (potentially sensitive) to the external API.
Install Mechanism
No install spec and no code files that would be executed; the skill is instruction-only, which minimizes disk-written code risk.
Credentials
Only one credential (DOCSTRANGE_API_KEY) is required per package.json and SKILL.md — appropriate for a hosted OCR API. However, registry metadata in the skill summary stated 'Required env vars: none', which contradicts the package.json's openclaw.requiredEnv and primaryEnv entries; this mismatch should be resolved before trusting automated configuration.
Persistence & Privilege
always is false and there is no request to modify other skills or system-wide agent settings. The skill may be invoked autonomously (platform default), which is expected for a user-invocable skill.
Scan Findings in Context
[no_regex_findings] expected: The repository was scanned with regex-based detectors and no warnings were produced. This is expected for an instruction-only skill composed of SKILL.md and package.json, but lack of findings is not evidence of safety — review the SKILL.md and endpoints manually (done above).
Assessment
This skill appears to do what it says: it sends documents to an external document-extraction API and requires a DOCSTRANGE_API_KEY. Before installing: (1) confirm the API key comes from a legitimate provider (check the real homepage/policy for Nanonets or DocStrange); (2) avoid sending highly sensitive PII or secrets to the service unless you trust its privacy/security policy; (3) prefer storing the API key in your agent's secret store or environment variables (not in plaintext ~/.openclaw/openclaw.json); (4) resolve the metadata mismatch (registry says no env vars while package.json/SKILL.md require DOCSTRANGE_API_KEY) — that may be a packaging error; and (5) if you need higher assurance, ask the publisher for a source repository or official homepage before enabling the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk977enkdt62d5ap40sdqarp5rn80zp1m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments