Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
pdf-processor-for-minimax
v1.0.0使用MiniMax模型从PDF文件中提取文本和图片。当用户需要处理PDF内容、从PDF中提取信息或分析PDF文档时调用此技能。
⭐ 0· 105·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes exactly the stated purpose (extract text/images from PDFs and send them to MiniMax for analysis). However, the registry metadata lists no required environment variables or primary credential while the instructions explicitly require MINIMAX_API_KEY (and optionally MINIMAX_GROUP_ID). That metadata omission is an incoherence: a PDF→MiniMax skill legitimately needs an API key and should declare it in metadata.
Instruction Scope
Runtime instructions are narrowly scoped to reading a local PDF, extracting text/images with PyMuPDF, and sending content (including base64-encoded images) to the MiniMax API. They do not request unrelated files, system-wide credentials, or external endpoints other than MiniMax. The SKILL.md correctly warns about privacy/costs. Minor issues: sample code omits an import of os before using os.environ, and embedding images as data URLs may create very large API payloads (performance/cost concern) but not a security red flag by itself.
Install Mechanism
This is an instruction-only skill with no install spec or code files; it only recommends pip packages (pymupdf, minimax-client, pillow). There are no arbitrary downloads or archive extracts. The install guidance is typical and low-risk, but you should independently vet the minimax-client package on PyPI or official docs before installing.
Credentials
The instructions require MINIMAX_API_KEY (and optionally MINIMAX_GROUP_ID) — appropriate for contacting MiniMax — but the skill metadata does not declare these required environment variables or a primary credential. That mismatch reduces transparency. Also, because the skill sends full PDF text and images to an external API, the user should consider privacy implications before providing the API key or processing sensitive documents.
Persistence & Privilege
The skill does not request persistent presence (always:false) and makes no claims about modifying agent configuration or other skills. Autonomous invocation is enabled by default (disable-model-invocation:false), which is normal; this is acceptable but increases blast radius if the skill were malicious — combined with the provenance concerns, exercise caution.
What to consider before installing
This skill appears to do what it says (extract PDF text/images and send them to MiniMax), but the package metadata fails to declare the required MiniMax API credentials and the source/homepage is unknown. Before installing or using it: 1) Verify the skill’s provenance (who published it and where the minimax-client package comes from). 2) Expect to set MINIMAX_API_KEY (and optionally MINIMAX_GROUP_ID) in your environment — do not reuse high-privilege or long-lived keys for untrusted code. 3) Avoid sending sensitive or regulated PDFs to external APIs unless you’ve confirmed compliance/privacy protections. 4) Review the minimax-client package on PyPI or the vendor docs and consider running the code in an isolated environment. If you want me to, I can: (a) check the minimax-client package details on PyPI, (b) suggest a minimal hardened wrapper for local use, or (c) propose metadata edits that would make this skill's requirements transparent.Like a lobster shell, security has layers — review code before you run it.
latestvk97b796hny74wa13q890yb8r6n83kh2d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.