ClawHub

OkraPDF

v1.0.0

OkraPDF — upload PDFs, read extracted content, ask questions, extract structured data, and manage collections. Covers MCP, CLI, and HTTP.

0· 49·0 current·0 all-time
bySteven Tsao@steventsao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
SKILL.md describes a PDF-upload + extraction/chat service (MCP, CLI, HTTP) and all instructions map to that purpose. However, the registry metadata lists no required credentials or env vars while the README clearly expects an API key (OKRA_API_KEY / 'YOUR_API_KEY'). This mismatch is a minor incoherence.
Instruction Scope
Instructions are scoped to uploading/reading/asking about PDFs via api.okrapdf.com, installing a CLI, and adding an MCP entry. They explicitly instruct modifying user agent config files (~/.claude/mcp.json, .cursor/mcp.json) and installing a global npm package; those actions are within the stated purpose but are side-effects the user should be aware of and which are not declared in the registry metadata.
Install Mechanism
There is no formal install spec in the registry, but the SKILL.md tells users to run 'npm install -g okrapdf' and to set an API key. Installing a global npm package carries normal supply-chain risk; the skill does not provide a vetted install source or manifest entry for this step.
Credentials
The service reasonably requires an API key (Authorization: Bearer), and the SKILL.md references OKRA_API_KEY and a user API key. That credential is proportional to the service, but the skill metadata did not declare required env vars or the primary credential — an inconsistency worth noting.
Persistence & Privilege
The skill does not request always: true and does not require system-wide privileges. It asks the user to add an MCP server entry and to install a CLI, which is normal for an integration; these are not excessive privileges.
Assessment
This appears to be a legitimate PDF-extraction/QA integration, but take these precautions before installing or using it: 1) Confirm the remote domain (api.okrapdf.com / okrapdf.com) is one you trust and review their privacy/TOS because uploaded PDFs will be sent to that service. 2) The SKILL.md expects an API key (OKRA_API_KEY) and tells you to store it in agent config or environment; the skill metadata did not declare this — do not paste sensitive or org-confidential documents until you verify the provider. 3) The CLI install uses npm - audit the npm package 'okrapdf' (check publisher, version history, and repository/source code) before global installation. 4) If you must proceed, create a least-privilege API key, test with non-sensitive files, and consider running the CLI in a sandboxed environment. 5) If you need higher assurance, ask the publisher for source/release links or a homepage and request that required env vars and install steps be declared in the registry metadata.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cthcfp966q3jgh8sqqm8afn83xvk7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments