ClawHub

Mistral PDF OCR

v1.0.0

Extracts text, tables, and images from PDFs (including scanned PDFs) using the Mistral OCR API. Use when user asks to OCR a PDF/image, extract text from a PD...

0· 529·0 current·0 all-time
byTristan Manchester@tristanmanchester
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's name and description (OCR PDFs via Mistral) match the code and docs: the script uploads local files or calls a public URL and invokes Mistral's OCR. However the registry metadata claims no required environment variables or primary credential while both SKILL.md and the script require MISTRAL_API_KEY. This mismatch is an incoherence in the declared purpose/capability surface.
Instruction Scope
The SKILL.md and bundled script are narrowly scoped to OCR: uploading files to Mistral Files API, calling Mistral OCR, and writing deterministic outputs (markdown, images, JSON). The instructions do not attempt to read unrelated system files or secrets. They do instruct uploading documents (including private PDFs) to an external API, which is expected for OCR but has privacy implications.
Install Mechanism
There is no download-from-URL install; the bundle includes a requirements.txt specifying mistralai>=1.0.0. That is a standard PyPI dependency and proportionate for this task. No suspicious remote install URLs or archive extraction were found.
!
Credentials
The script and SKILL.md require the MISTRAL_API_KEY environment variable (and network access) to call the third-party OCR API. The registry metadata incorrectly lists no required env vars/credentials — this is inconsistent and could mislead users into installing without supplying the key. Requesting a single API key for the external OCR service is proportionate, but the metadata mismatch is a red flag. Also be aware the skill will transmit full document content (and optional embedded images) to the Mistral service.
Persistence & Privilege
The skill does not request permanent 'always' presence and doesn't modify other skills or system-wide agent settings. It runs a local script and uses the Mistral SDK; no elevated platform privileges are requested.
What to consider before installing
What to consider before installing: - The code and SKILL.md require MISTRAL_API_KEY and network access; the registry metadata incorrectly omits that. Do not assume no credentials are needed. Ask the publisher to fix the metadata if unclear. - This skill uploads documents (including private or scanned PDFs) to Mistral's API. If your documents contain sensitive data (PII, secrets, financial data), review Mistral's privacy/retention policy and legal terms before using. - The script optionally includes embedded images (base64) in requests and can request document-level annotations that extract structured fields — these increase data sent to the API. - Uploaded files may remain on the provider if the SDK/version doesn't support deletion; the script's cleanup is best-effort. If you need guaranteed removal, verify deletion behavior with a test upload or contact Mistral. - The dependency is a normal PyPI package (mistralai). Install in an isolated environment and inspect the package if you need higher assurance. - If you plan to use this skill in automated agents, ensure the MISTRAL_API_KEY has least-privilege scope (if supported) and rotate/revoke it as needed. - If anything is unclear (why metadata omitted the API key, or about retention/deletion), ask the skill owner to clarify before enabling it for sensitive documents.

Like a lobster shell, security has layers — review code before you run it.

latestvk973d3zaz1tkp6nkzake5g4pnn81kyqs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments