ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Word To Markdown

v1.0.0

Document to Markdown converter - convert DOCX, PPTX, Excel files to Markdown. Use when extracting content from Word documents, PowerPoint presentations, or E...

0· 75·0 current·0 all-time
by@tanis90
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, required binary (mineru-open-api), and the install specs (npm/uv/go) all align with a CLI-based document-to-Markdown converter. There are no unrelated binaries or unexpected credential requests.
Instruction Scope
SKILL.md instructs the agent to run mineru-open-api flash-extract on local files or URLs and explicitly states the CLI uploads documents to MinerU's cloud for processing. The instructions do not ask the agent to read unrelated files or environment variables, but they do cause user documents to be transmitted externally; the SKILL.md claims 'not stored' which cannot be verified from the instructions alone.
Install Mechanism
Install methods (npm, uv, go install from a GitHub path) are standard for a CLI. There is some risk inherent in installing third-party packages: the publisher is not a broadly-known vendor here and SKILL.md also offers a direct download link on mineru.net. Verify package source and integrity before installing.
Credentials
The skill declares no required environment variables or credentials, which is proportionate for a simple CLI wrapper. Note: absence of credentials means files are processed by a public/unauthenticated endpoint — a privacy (not a coherence) concern.
Persistence & Privilege
The skill is not marked always:true and does not request elevated agent persistence or modify other skills. Autonomous invocation is allowed (default) but is not combined with other red flags.
Assessment
This skill appears to do what it says, but it uploads documents to MinerU's cloud without requiring an API key. Before installing or using it: (1) Do not upload sensitive or confidential documents unless you trust mineru.net and have read their privacy policy; (2) Verify the mineru-open-api package source (npm page, GitHub repo) and install from a trusted package manager; (3) If possible, inspect the package code or checksums before running it; (4) Test with non-sensitive sample files first; (5) If you need offline conversion, consider local tools like pandoc or other vetted converters.

Like a lobster shell, security has layers — review code before you run it.

latestvk978qg10504b7mtsw30z85z9zx83jzrp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📑 Clawdis
Binsmineru-open-api

Install

Install via npm
Bins: mineru-open-api
npm i -g mineru-open-api
Install via uv
Bins: mineru-open-api
uv tool install mineru-open-api
Install via go install
Bins: mineru-open-api

Comments