Upstage Document Classification
PassAudited by VirusTotal on May 6, 2026.
Overview
Type: OpenClaw Skill Name: upstage-document-classification Version: 1.0.0 The skill bundle provides documentation and code examples for integrating the Upstage Document Classification API into the OpenClaw agent. It uses standard environment variables for authentication (UPSTAGE_API_KEY) and communicates with the legitimate Upstage API endpoint (api.upstage.ai). The instructions in SKILL.md and references/document-split.md are consistent with the stated purpose of document classification and splitting, with no evidence of malicious intent, data exfiltration, or unauthorized command execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
API calls will use the user's Upstage account credential and may be subject to that account's permissions, quotas, billing, and provider terms.
The skill needs an Upstage API key, which is expected for this API integration, but users should recognize that the skill uses account-linked credentials.
**API Key**: Always use `os.environ["UPSTAGE_API_KEY"]`. Get your key at [console.upstage.ai](https://console.upstage.ai).
Use a dedicated or least-privileged Upstage API key if available, keep it in the environment rather than hardcoding it, and revoke or rotate it if no longer needed.
Documents or document URLs provided for classification may be processed by Upstage, so sensitive files could leave the user's local environment or private workspace.
The documented workflow sends a document URL to Upstage's external API for classification, which is central to the skill's purpose but creates an external data-sharing boundary.
base_url="https://api.upstage.ai/v1/document-classification" ... "content": [{"type": "image_url", "image_url": {"url": "https://example.com/document.pdf"}}]Only classify documents that are permitted to be shared with Upstage, and review Upstage's privacy, retention, and access controls before using the skill with sensitive documents.
The install page may not fully prepare users for the required credential setup before they try to use the skill.
The registry metadata under-declares the credential that SKILL.md tells users to provide via UPSTAGE_API_KEY. This is a metadata completeness issue rather than evidence of hidden credential use.
Required env vars: none ... Primary credential: none
The publisher should declare UPSTAGE_API_KEY as a required credential/environment variable in metadata so users can make an informed install decision.