Upstage Document Classification
PassAudited by ClawScan on May 6, 2026.
Overview
This instruction-only skill is purpose-aligned with Upstage document classification, but users should notice that it needs an Upstage API key and sends document content or document URLs to Upstage.
This skill appears safe to review as a normal external API integration. Before installing or using it, make sure you are comfortable providing an Upstage API key and sending the documents you classify to Upstage. Avoid using it for highly sensitive documents unless your organization approves Upstage's privacy, retention, and billing terms.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
API calls will use the user's Upstage account credential and may be subject to that account's permissions, quotas, billing, and provider terms.
The skill needs an Upstage API key, which is expected for this API integration, but users should recognize that the skill uses account-linked credentials.
**API Key**: Always use `os.environ["UPSTAGE_API_KEY"]`. Get your key at [console.upstage.ai](https://console.upstage.ai).
Use a dedicated or least-privileged Upstage API key if available, keep it in the environment rather than hardcoding it, and revoke or rotate it if no longer needed.
Documents or document URLs provided for classification may be processed by Upstage, so sensitive files could leave the user's local environment or private workspace.
The documented workflow sends a document URL to Upstage's external API for classification, which is central to the skill's purpose but creates an external data-sharing boundary.
base_url="https://api.upstage.ai/v1/document-classification" ... "content": [{"type": "image_url", "image_url": {"url": "https://example.com/document.pdf"}}]Only classify documents that are permitted to be shared with Upstage, and review Upstage's privacy, retention, and access controls before using the skill with sensitive documents.
The install page may not fully prepare users for the required credential setup before they try to use the skill.
The registry metadata under-declares the credential that SKILL.md tells users to provide via UPSTAGE_API_KEY. This is a metadata completeness issue rather than evidence of hidden credential use.
Required env vars: none ... Primary credential: none
The publisher should declare UPSTAGE_API_KEY as a required credential/environment variable in metadata so users can make an informed install decision.