ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Slides To Markdown

v1.0.0

Document to Markdown converter - convert DOCX, PPTX, Excel files to Markdown. Use when extracting content from Word documents, PowerPoint presentations, or E...

0· 65·0 current·0 all-time
by@tanis90
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (convert DOCX/PPTX/XLSX to Markdown) matches the runtime instructions and the single required binary (mineru-open-api). There are no unrelated env vars or bizarre binaries requested.
Instruction Scope
SKILL.md instructs the agent to run mineru-open-api flash-extract on local files or URLs and explicitly states that documents are uploaded to MinerU's cloud for processing. This is consistent with the stated purpose, but it means user files are transmitted to an external service — a privacy/data-exfiltration consideration (expected behavior for this skill, but important for users to know).
Install Mechanism
Installers are standard package mechanisms (npm, go install) pointing to mineru-open-api and a GitHub repo. npm/go install is typical but introduces the usual supply-chain risk; SKILL.md also suggests downloading from mineru.net as a fallback, which is higher risk because it may pull arbitrary binaries from the website.
Credentials
No environment variables or credentials are requested by the skill. The SKILL.md claims no API key or signup is required for flash-extract, which aligns with the lack of declared credentials. However, the tool will upload documents to a third-party service, so absence of creds does not eliminate privacy risk.
Persistence & Privilege
always is false and the skill is instruction-only (no code persisted by the skill itself). It does not request system-wide privileges or modify other skills' configs. Normal autonomous invocation is allowed (default) and appropriate for this type of skill.
Assessment
This skill is coherent: it expects the mineru-open-api CLI and uses it to upload documents to MinerU's cloud to produce Markdown. Before installing or using it, consider: 1) Do not upload sensitive or confidential documents unless you trust mineru.net and have verified their privacy/storage policy. The SKILL.md's claim that documents are not stored is not provable from the skill itself. 2) Verify the mineru-open-api package source (npm package and the GitHub repo) and prefer installing from a trusted origin; downloading binaries from the website is higher risk. 3) If you must convert sensitive files offline, look for local/offline tools instead. 4) If you proceed, review CLI install commands, verify checksums or repo authenticity, and run the CLI in a controlled environment (sandbox/container) if possible.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ezaebv1mtsajp5q73v5kxt183hpw7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📑 Clawdis
Binsmineru-open-api

Install

Install via npm
Bins: mineru-open-api
npm i -g mineru-open-api
Install via uv
Bins: mineru-open-api
uv tool install mineru-open-api
Install via go install
Bins: mineru-open-api

Comments