Back to skill
Skillv2.1.0
ClawScan security
MinerU PDF Parser · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 28, 2026, 3:00 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requested environment access are consistent with a document-to-Markdown parser that uploads files to mineru.net using a MINERU_TOKEN; no obvious mismatches or hidden exfiltration channels were found.
- Guidance
- This skill uploads your documents to mineru.net for parsing — do not use it with confidential or regulated documents unless you trust the service and its privacy policy. Provide only the MINERU_TOKEN (no other credentials required). Note the minor metadata bug in the registry (shows [object Object]) and that the async script currently enumerates only PDFs; if you need DOCX/PPTX images in async mode use the other scripts or confirm behavior. Installing the skill will require installing standard Python packages (requests, aiohttp). Verify output paths (especially cloud/Obsidian paths) before running to avoid accidental writes or syncs.
Review Dimensions
- Purpose & Capability
- okName/description (convert PDFs/Word/PPT/images to Markdown) aligns with the provided scripts and API usage. The scripts call mineru.net endpoints, accept files, and produce Markdown — functionality matches the stated purpose.
- Instruction Scope
- noteSKILL.md instructs the agent to set MINERU_TOKEN and run provided Python scripts, upload files, and save extracted output locally or to an Obsidian path. All referenced operations (reading input files, uploading to mineru.net, downloading/ extracting zip results, writing output) are within the expected scope. Minor inconsistency: scripts/mineru_async.py only enumerates PDF files (glob *.pdf) while SKILL.md claims async version supports all listed formats; this is likely an implementation detail but worth noting.
- Install Mechanism
- okDependencies are standard PyPI packages (requests, aiohttp) and there is a requirements.txt. No suspicious remote downloads or archive extraction from untrusted URLs are used. This is a typical pip-based installation footprint.
- Credentials
- noteThe only required credential is MINERU_TOKEN (Bearer API token), which is proportionate for a cloud parsing service. One metadata glitch in the registry shows 'Required env vars: [object Object]' — a UI/metadata bug but not a functional request for additional unrelated secrets.
- Persistence & Privilege
- okSkill is not always-enabled and does not request persistent elevated privileges or modify other skills. It runs only when invoked and only uses the provided token and local filesystem paths for input/output.