ClawHub
Back to skill
v1.0.4

upstage-document-parse

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:15 AM.

Analysis

This appears to be a straightforward document-parsing skill, but it sends selected documents to Upstage and uses an Upstage API key.

GuidanceBefore installing, make sure you are comfortable sending chosen documents to Upstage for parsing. Protect the API key, confirm file paths before asking the agent to parse them, and avoid using the skill on documents that you are not allowed to share with a third-party service.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
requires":{"bins":["curl"],"env":["UPSTAGE_API_KEY"]},"primaryEnv":"UPSTAGE_API_KEY"

The skill requires an Upstage API key to authenticate requests to the document parsing service.

User impactAnyone using the skill must provide a credential that can make requests against their Upstage account and may incur usage or expose account access if mishandled.
RecommendationUse a dedicated or least-privileged Upstage API key if available, keep it out of shared transcripts, and rotate it if it is exposed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusNote
SKILL.md
curl -X POST "https://api.upstage.ai/v1/document-digitization" ... -F "document=@/path/to/file.pdf"

The documented workflow uploads the selected document file to Upstage’s external API for parsing.

User impactDocuments may contain private, regulated, or business-sensitive content, and using this skill sends that content to a third-party service for processing.
RecommendationOnly parse documents you are permitted to upload to Upstage, review Upstage’s data handling terms, and avoid using the skill on highly sensitive files unless that sharing is acceptable.
Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
Results stored for 30 days

The async parsing flow documents provider-side retention of parsing results.

User impactParsed output from large documents may remain available through the provider for a period after processing.
RecommendationUse the async workflow only when provider-side result retention is acceptable, and manage request IDs or download URLs carefully.