PDF Markdown Converter

v0.2.0

Convert PDF documents to clean, well-formatted Markdown using the MinerU API. This skill uses mineru-open-api CLI to transform PDFs into Markdown with preser...

⭐ 0· 31·0 current·0 all-time

by@veeicwgy

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

medium confidence

ℹ

Purpose & Capability

The skill's name, description, and runtime instructions all focus on converting PDFs to Markdown using mineru-open-api, so purpose and capability align. Minor mismatch: registry metadata lists no required binaries, yet the SKILL.md requires installing the mineru-open-api CLI (and the SKILL.md tool list includes Bash(mineru-open-api:*)). That discrepancy should be clarified but doesn't itself indicate malicious intent.

✓

Instruction Scope

Instructions are narrowly scoped to installing the mineru-open-api CLI and running it on user PDFs (flash-extract, extract, model selection, output dirs). They don't instruct reading unrelated files, accessing other env vars, or exfiltrating data to unexpected endpoints.

ℹ

Install Mechanism

The skill recommends npm install -g mineru-open-api (a public-registry npm package). This is a common distribution method, but global npm installs run third-party code on your machine and can be high-risk if the package or maintainer are untrusted. The skill includes no install spec in the registry metadata and doesn't point to an audited release or repository, so verify the package source before installing.

ℹ

Credentials

The skill declares no required environment variables or credentials, and SKILL.md mentions a 'token-free flash-extract' mode. However, it doesn't state whether precision/extract modes or the mineru service require API keys, nor how credentials (if any) are stored. Lack of guidance about authentication and data retention is a gap to be aware of.

✓

Persistence & Privilege

The skill does not request always:true, does not modify other skills or agent configs, and only instructs creating output directories under the user's home. It does not ask for persistent elevated privileges.

Assessment

Before installing or running this skill: 1) Verify the mineru-open-api npm package and its maintainer (npm page, GitHub repo, release notes, recent activity). 2) Audit or inspect the package (or install locally instead of -g) in a sandbox or VM if you don’t trust the publisher—npm packages run code during install and execution. 3) Confirm whether the precision/extract modes require an API key and where that key will be stored; avoid supplying secrets until you understand auth and retention policies. 4) If your PDFs contain sensitive data, consider processing a non-sensitive sample first or use an offline/local tool; check the mineru service privacy/retention terms. 5) Prefer installing the CLI locally (not globally) and run it with least privilege. If any of these checks fail or you can’t verify the package source, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk9749q5d89q8wbc5eqwnkwrhmh84ba88

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

PDF Markdown Converter

License

Comments