Upstage Information Extraction
PassAudited by ClawScan on May 6, 2026.
Overview
This skill appears to do what it says, but it needs an Upstage API key and may send or store sensitive document data during extraction.
Before installing, confirm you are comfortable sending the relevant documents or document URLs to Upstage, store the UPSTAGE_API_KEY securely, and clean up any temporary extracted JSON files that contain sensitive data.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user must provide an Upstage API key, which can authorize API usage and may incur account usage or billing depending on the Upstage account.
The skill requires a sensitive Upstage API credential. This is expected for the service integration, but users should notice that a credential is needed.
API Key: Always use `os.environ["UPSTAGE_API_KEY"]`.
Use a dedicated Upstage key with the minimum needed scope if available, keep it in environment variables, and rotate it if it is exposed.
Documents or document URLs provided to the skill may be processed by Upstage, so sensitive content may leave the user's local environment.
The extraction workflow sends document references to Upstage's external API. This is central to the skill, but invoices, receipts, and trade documents can contain sensitive business or personal data.
base_url="https://api.upstage.ai/v1/information-extraction" ... "image_url": {"url": "https://example.com/invoice.pdf"}Only use the skill for documents you are allowed to send to Upstage, and review Upstage's data retention and privacy terms for sensitive files.
Sensitive extracted data may remain on disk after the task completes, depending on temp-directory cleanup behavior.
The skill stores extracted structured data in a local temp file by default. This is purpose-aligned, but extracted fields may include sensitive financial or identity information.
Default: write extracted JSON to `<system-temp>/<input-stem>.extracted.json` (e.g., `/tmp/invoice.extracted.json`).
Choose an explicit output path when needed, protect the file, and delete temporary extraction outputs when they are no longer needed.