easydoc-parse
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: easydoc-parse Version: 1.0.1 The skill bundle provides a legitimate interface for interacting with the EasyDoc document parsing REST APIs (China and Global platforms). The included Python script (scripts/easydoc_parse.py) is well-structured, uses standard libraries (urllib) instead of external dependencies, and performs expected tasks like file validation, multipart form encoding, and status polling. There is no evidence of data exfiltration, malicious execution, or prompt injection; the instructions in SKILL.md actually promote security and performance best practices by advising the agent to use targeted search tools rather than loading full document payloads into the LLM context.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a caller uses an unsafe endpoint override, documents and the API key could be sent somewhere other than the intended EasyDoc service.
The helper is designed to upload files with an API key and includes an endpoint override option. This is not shown as automatic or hidden, but it means users should avoid untrusted base URLs.
parser.add_argument("--base-url", default="", help="Optional base URL override for selected platform.") ... headers = {"api-key": api_key, "Content-Type": f"multipart/form-data; boundary={boundary}"}Use the default EasyDoc/EasyLink endpoints unless you explicitly trust the replacement endpoint, and confirm the file and platform before upload.
A key intended for one platform may be tried against the other platform if the expected platform-specific key is not set.
The script reads provider API keys from environment variables and may fall back to the other platform's key if the preferred key is missing.
if platform == "global":
for key in ("EASYDOC_API_KEY", "EASYLINK_API_KEY"):
...
else:
for key in ("EASYLINK_API_KEY", "EASYDOC_API_KEY"):Set the correct platform-specific key and pass --api-key explicitly when you want to avoid fallback behavior.
Users have less external provenance information for verifying the publisher or code history.
The registry metadata does not provide a source repository or homepage, which limits provenance review, although no remote installer or suspicious static-scan findings are shown.
Source: unknown Homepage: none No install spec — this is an instruction-only skill.
Review the bundled script before use and install only if you trust the publisher and the EasyDoc service endpoints.
Parsed document content may influence later summarization or retrieval tasks if used as a RAG corpus.
The skill explicitly handles parsed JSON as retrieval context and recommends scoped search rather than full-file loading, which is appropriate but still involves using document-derived content in the agent context.
If the parsed output is being used for RAG, do not load the entire JSON file into context by default. ... Read only local slices
Treat parsed document text as untrusted content, retrieve only the needed slices, and avoid loading sensitive full documents into context unless necessary.