Upstage Information Extraction
AdvisoryAudited by Static analysis on May 6, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user must provide an Upstage API key, which can authorize API usage and may incur account usage or billing depending on the Upstage account.
The skill requires a sensitive Upstage API credential. This is expected for the service integration, but users should notice that a credential is needed.
API Key: Always use `os.environ["UPSTAGE_API_KEY"]`.
Use a dedicated Upstage key with the minimum needed scope if available, keep it in environment variables, and rotate it if it is exposed.
Documents or document URLs provided to the skill may be processed by Upstage, so sensitive content may leave the user's local environment.
The extraction workflow sends document references to Upstage's external API. This is central to the skill, but invoices, receipts, and trade documents can contain sensitive business or personal data.
base_url="https://api.upstage.ai/v1/information-extraction" ... "image_url": {"url": "https://example.com/invoice.pdf"}Only use the skill for documents you are allowed to send to Upstage, and review Upstage's data retention and privacy terms for sensitive files.
Sensitive extracted data may remain on disk after the task completes, depending on temp-directory cleanup behavior.
The skill stores extracted structured data in a local temp file by default. This is purpose-aligned, but extracted fields may include sensitive financial or identity information.
Default: write extracted JSON to `<system-temp>/<input-stem>.extracted.json` (e.g., `/tmp/invoice.extracted.json`).
Choose an explicit output path when needed, protect the file, and delete temporary extraction outputs when they are no longer needed.