Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Pdf Ocr
v1.0.0PDF扫描件转Word文档。支持中文OCR识别,自动裁掉页眉页脚,保留插图,彩色章节封面页保留为图片。使用百度OCR API(免费额度1000次/月)。当用户要求把扫描PDF转成文字/Word时触发。
⭐ 1· 5k·60 current·63 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (PDF OCR using Baidu) matches the provided scripts: they render PDF pages, crop header/footer, call Baidu OCR, and produce a .docx. However SKILL.md and skill.json claim behaviors (e.g., server retention of originals, automatic progress saves every 50 pages) that are not present in the scripts, which is an incoherence.
Instruction Scope
SKILL.md instructs running the shipped scripts and documents QPS limits and other behaviors. It also explicitly embeds Baidu API key/secret in the README. The instructions state '原始高清版保留在服务器' and '每50页自动保存一次进度', but the executable scripts perform only local processing and save the final docx at the end (no autosave, no upload). This mismatch could mislead users about where files are stored and what the skill does with input PDFs.
Install Mechanism
No install spec; this is instruction + local Python scripts. Dependencies are common Python libs (pymupdf, python-docx, pillow). No external downloads or archive extraction observed.
Credentials
The skill metadata claims no required env vars, but the code reads BAIDU_API_KEY and BAIDU_SECRET_KEY from environment with defaults set to literal API credentials. Those same credentials are published in SKILL.md. Publishing working API credentials in a public skill is a security/privacy concern (credential leakage, misuse of quota, potential billing/abuse). If the developer intended to include a demo key, it should still be documented as such and not presented as the only credential option.
Persistence & Privilege
The skill does not request persistent/always-on privileges, does not modify other skills, and is not configured to be force-included. It runs local scripts and writes output files to the chosen output directory.
What to consider before installing
This skill's code and docs mostly align with a local PDF→OCR workflow, but there are notable red flags you should address before using it on sensitive files:
- The SKILL.md and scripts include hard-coded Baidu API key/secret. Treat those as leaked credentials: replace them with your own account keys (set via BAIDU_API_KEY and BAIDU_SECRET_KEY env vars) or remove the defaults entirely.
- SKILL.md claims 'original high-resolution copies retained on server' and 'autosave every 50 pages' — the provided scripts do not upload files or autosave. Ask the publisher to clarify where uploads (if any) occur. Do not assume remote storage unless the developer confirms and documents it.
- Because the included credentials could be public, the account’s quota or bills might be abused; consider monitoring or using your own key with limited scope/quotas.
- Test the scripts locally on non-sensitive sample PDFs first. Review and run in an isolated environment. If you need autosave or explicit server behavior, request updated code that implements those features transparently.
- If you don’t want to rely on Baidu, modify the code to use your preferred OCR provider and remove embedded secrets. If you proceed nonetheless, remove the hard-coded keys from distributed files to avoid credential leakage.Like a lobster shell, security has layers — review code before you run it.
latestvk973xwn2pa3m0ejh6019nsaj91828zde
License
MIT-0
Free to use, modify, and redistribute. No attribution required.