ClawHub

Doc2md

v1.0.0

Document to Markdown converter - convert DOCX, PPTX, Excel files to Markdown. Use when extracting content from Word documents, PowerPoint presentations, or E...

0· 72·0 current·0 all-time
by@tanis90
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill's name/description match its requirements: it requires the mineru-open-api CLI and its instructions call that CLI to convert DOCX/PPTX/XLSX to Markdown. The declared install methods (npm/uv/go) and the referenced GitHub repo align with a CLI distribution.
Instruction Scope
SKILL.md instructs the agent to run mineru-open-api flash-extract against local files or URLs; it does not ask the agent to read unrelated files or environment variables. However, the flash-extract operation uploads user documents to MinerU's cloud API (per the doc), and the skill therefore causes outbound transfer of potentially sensitive content. It also allows converting documents located by URL, which could cause the tool to fetch arbitrary network resources.
Install Mechanism
Installation is via npm/uv/go for a named package (mineru-open-api) or a GitHub go install. This is a typical distribution model but still executes third‑party code on the user's machine. No arbitrary download-from-random-URL installer is specified, which reduces but does not eliminate risk. Users should verify package provenance before installing.
!
Credentials
The skill requests no environment variables or credentials (proportionate), but it explicitly uploads documents to a third‑party cloud without requiring authentication. That low friction makes accidental or unwanted exfiltration easier — especially for sensitive files. The SKILL.md also claims documents are not stored after extraction; that is a vendor promise and not enforced by the skill itself.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It does not request persistent privileges, modify other skills, or require special platform flags. Autonomous invocation remains possible (default), but that is normal and not a sole reason for concern here.
Assessment
This skill appears to do what it says — it calls the mineru-open-api CLI to upload and convert documents to Markdown. Before installing or using it: (1) do not upload sensitive or confidential documents unless you trust mineru.net and have reviewed its privacy/storage policy, because flash-extract uploads files to a third-party endpoint without authentication; (2) verify the mineru-open-api package/repo provenance (npm/uv package name and the GitHub repo) before installing third‑party CLI software; (3) if you need offline processing, prefer an offline converter or run the CLI in a sandboxed environment; (4) be cautious about conversion requests that reference internal URLs (the tool may fetch arbitrary network resources). If you want a deeper assessment, provide the mineru-open-api package source (npm link or GitHub repo contents) so its code and network behavior can be reviewed.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ag5kz8npvk62mamta8k72g983hrc0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📑 Clawdis
Binsmineru-open-api

Install

Install via npm
Bins: mineru-open-api
npm i -g mineru-open-api
Install via uv
Bins: mineru-open-api
uv tool install mineru-open-api
Install via go install
Bins: mineru-open-api

Comments